Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinuxPPC Autostart Worm

Posted by CmdrTaco on from the gotta-hate-that dept.

JD Fant alerted us to an article appearing over at macintouch that claims that the new R5 of LinuxPPC was released with a benign worm on it. Apparently it can't spread, but it is there (the page has comments from Jason Haas)

6 of 51 comments (clear)

  1. Re:Some nitpicking by craw · · Score: 2

    Huh? You still have finals at this time of the year? I would like to think that you folks in the valley should be working in the fields by now.:-)

    Thanks for your info on the gpl and redhat; I should have known that. Perhaps, it may be that RedHat==Linux, so that LinuxPPC used this to gain acceptance. However, I keep thinking that this was an arrangement so that RedHat would maintain/update their installer for the PowerPC chip. Note: the mac end installer for R5 is entirely different than the RedHat installer. The new LinuxPPC Linux installer is okay, but it doesn't seem to have the same level of fine-tuning control that the RedHat installer has.

    This is a dangerous post as I am still working on this new release. Perhaps I should keep my ignorant mouth shut until I am more informed about this. However, this is /. I'll swallow my pride for more info (this is more like Ask Slashdot).

  2. Autostart Information by blukens · · Score: 3

    A few people asked how it can be a worm if it doesn't actually spread.

    First some background, way back when (sometime in '95) Apple introduced a new autostart feature to QuickTime. If you've used win95 you probably know how this works, you pop in a CD and it automatically launches an application for you.

    According to http://developer.apple.com/qa/qtpc/qtpc12.html, Apple's implimentation works like this: the developer puts the autostart application's file name in a magic place in the first few blocks of the drive. When the drive is mounted and the AutoStart feature is enabled (its a simple check-on, check-off feature) the application launches.

    The Worm is simply an autostart application that copies itself to the startup drive so that it is launched at every boot, and then procedes to copy itself to every mounted partition (hard drives, zip drives, network drives, etc.) about every 30 minutes and enables the autostart blocks on those volumes. After infecting the other volumes, it goes about your system overwriting various files with random data.

    Anyway, I believe the Linux PPC CD contains the AutoStart Worm application but the CD doesn't contain the blocks that actually tell QuickTime to launch it. You also can't accidentally launch it because the file is hidden, meaning you have to use a seperate utility, not the Finder, to even see that it's there.

    There are 3 names that the various strains of the Worm use for the autostart application filename. This is what the antivirus software looks for, and what they find.

    Well, that's about all I know on the issue. Perhaps more than any of you wanted, but I find this kinda thing interesting. I am kinda curious why we havent seen a similar worm taking advantage of the Windows 95 autostart feature...

  3. Thank God by Skyshadow · · Score: 2
    Thank God they caught it in time; this would be
    really embaressing if it blew up with all the
    rippin' on Microsoft we've been doing lately =)

    Seriously, though; I think it speaks to the power
    of open source software that this was caught
    before it spread to badly...

    ----

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  4. Update on AutoStart bug on R5 discs by Anonymous Coward · · Score: 3

    This was posted not long ago
    start"

    Subject: Update on AutoStart bug on R5 discs
    Date: Tue, 15 Jun 1999 15:24:39 -0400
    From: Jason Haas
    Organization:LinuxPPC Inc.
    Newsgroups: comp.os.linux.powerpc

    We have concluded that the AutoStart worm cannot spread from R5 CDs tousers. No one has reported being infected by the discs, and several people have reported that having the disc in the machine does not cause their machine to become infected.

    When we burned the master CD, we used the Linux program mkhybrid, and did not activate the auto-start option. We believe this prevents the worm from spreading to new machines from the disc.

    We will have a new pressing of the disc available in about two weeks for users who would like to receive a new, clean copy of the disc.

    Jason Haas,
    LinuxPPC Inc.

    end"

    cheers,
    mitch

  5. Re:Speaking of R5 problems... by Ethelred+Unraed · · Score: 2

    I realize this is somewhat off topic, but is anyone else having problems installing R5? I've tried both the X installer and the redhat one, and it likes to lock up my system about fifteen percent into installing the packages...is this just me? any help would be greatly appreciated. The most common cause is that the installer doesn't check to make sure that you have enough space on each of your partitions before installing (at least this was the case with R4/4.1 and Yellow Dog 1.0). So it will merrily go on until it runs out of room and then lock up. The only solution is to either reduce the software to be installed (you can, for example, turn off many things you most likely won't need, like DNS/named, etc.) or to combine or rearrange your partitions to make enough room. You especially need to make sure that /opt and /usr get enough room if you install a lot of stuff. If you really aren't sure how big to make your partitions, but do know what software you want, just make one big root partition (naturally along with /swap). That's the easiest way to go. Check out my website at http://linux.macnews.de/ for other tips and news about Linux for Macs. It ain't much, but I try. :-) click and be happy

    --
    Everyone wants to be Ethelred. Even I want to be Ethelred.
  6. Some nitpicking by craw · · Score: 2

    Autostart 9805-A. I was not too please when a Virex scan gave me this message when I loaded my R5 CD yesterday. I'm almost speechless in describing what I feel about this.

    I don't care if this thing won't spread. It is highly unprofessional to send out a CD with a virus on it (or something that will flagged by a virus scan). There are also some minor "glitches" with the distro. For instance, in one of the readme files, this instruction is given.

    Where is the old RedHat installer?
    a) Just pass redhat as an arguement to the

    To the ?? If you have used BootX before, you would probably realized that this is a parameter to pass to the kernel arguments. They might also wish to spell argument correctly. Note: I am not blaming these nitpicking mistakes to original author of the doc. Remember, this is Linux. Have other ppl review the source.

    Nonetheless, I have installed R5 and it looks pretty good. Serious testing starts tomorrow. As a side note: I just realized that I am a totally pathetic (but extremely loyal) Apple/Linux supporter whom is willing to overlook glitches.:-)

    I just have one last bitch. I start up LinuxPPC at runlevel 5 and eventually get greeted with the login screen. Off in the upper left hand corner is a fairly obnoxious and rather large RedHat logo. I was wondering, is this the result of some agreement between LinuxPPC and RedHat for the use of the RedHat installer?

    Don't flame me if I made mistakes in spelling or grammar in this post (since I nitpick on this issue). I don't have another pair of eyes reviewing my post.