Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinuxPPC Autostart Worm

Posted by CmdrTaco on from the gotta-hate-that dept.

JD Fant alerted us to an article appearing over at macintouch that claims that the new R5 of LinuxPPC was released with a benign worm on it. Apparently it can't spread, but it is there (the page has comments from Jason Haas)

2 of 51 comments (clear)

  1. Autostart Information by blukens · · Score: 3

    A few people asked how it can be a worm if it doesn't actually spread.

    First some background, way back when (sometime in '95) Apple introduced a new autostart feature to QuickTime. If you've used win95 you probably know how this works, you pop in a CD and it automatically launches an application for you.

    According to http://developer.apple.com/qa/qtpc/qtpc12.html, Apple's implimentation works like this: the developer puts the autostart application's file name in a magic place in the first few blocks of the drive. When the drive is mounted and the AutoStart feature is enabled (its a simple check-on, check-off feature) the application launches.

    The Worm is simply an autostart application that copies itself to the startup drive so that it is launched at every boot, and then procedes to copy itself to every mounted partition (hard drives, zip drives, network drives, etc.) about every 30 minutes and enables the autostart blocks on those volumes. After infecting the other volumes, it goes about your system overwriting various files with random data.

    Anyway, I believe the Linux PPC CD contains the AutoStart Worm application but the CD doesn't contain the blocks that actually tell QuickTime to launch it. You also can't accidentally launch it because the file is hidden, meaning you have to use a seperate utility, not the Finder, to even see that it's there.

    There are 3 names that the various strains of the Worm use for the autostart application filename. This is what the antivirus software looks for, and what they find.

    Well, that's about all I know on the issue. Perhaps more than any of you wanted, but I find this kinda thing interesting. I am kinda curious why we havent seen a similar worm taking advantage of the Windows 95 autostart feature...

  2. Update on AutoStart bug on R5 discs by Anonymous Coward · · Score: 3

    This was posted not long ago
    start"

    Subject: Update on AutoStart bug on R5 discs
    Date: Tue, 15 Jun 1999 15:24:39 -0400
    From: Jason Haas
    Organization:LinuxPPC Inc.
    Newsgroups: comp.os.linux.powerpc

    We have concluded that the AutoStart worm cannot spread from R5 CDs tousers. No one has reported being infected by the discs, and several people have reported that having the disc in the machine does not cause their machine to become infected.

    When we burned the master CD, we used the Linux program mkhybrid, and did not activate the auto-start option. We believe this prevents the worm from spreading to new machines from the disc.

    We will have a new pressing of the disc available in about two weeks for users who would like to receive a new, clean copy of the disc.

    Jason Haas,
    LinuxPPC Inc.

    end"

    cheers,
    mitch