New Macintosh Trojan Horse Discovered - July 5,1992
NAME: ChinaTalk
DAMAGE: erases directories from hard drives and floppies, effectively erasing all data.
A new Trojan Horse has been discovered called "ChinaTalk." It is a INIT/extension that masquerades as a "female Macintalk sound driver." This file actually draws a picture to the Macintosh screen while erasing the directories on hard drives and floppies, i.e., it is very destructive.
Virex (and the Virex INIT) will be updated to version 3.82 to detect the Trojan Horse. Virex will also delete this file with the user's permission. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to detect ChinaTalk.
HOW TO UPDATE YOUR COPY:
To update your 3.x copy of Virex to detect this Trojan Horse, enter the following information into the 'Define Virus' section of the Virex application. You can immediately scan for the presence of this virus with Virex. After the next Restart, the Virex INIT will also scan all executed files and inserted diskettes for this Trojan Horse.
DAMAGE: can permanently damage applications and cause machines to not reboot properly
SPREAD: possibly significant
A new virus has been discovered in two slightly different strains.
The viruses were discovered in the game "GoMoku," versions 2.0 and 2.1. These files were posted to the Usenet comp.binaries.mac
newsgroup, and uploaded to various ftp archives, including the one at
sumex-aim.stanford.edu. [Note: the game was distributed under a
falsified name. The name used in the posting, and embedded in the
game, is that of a completely uninvolved person. Please do not use
this person's name in reference to the virus.]
If you have Virex 3.x and the "Use Record/Scan Data" option of the Virex INIT enabled, the Virex INIT will alert you if your machine is infected with T4.
When an infected file is launched, the virus attempts to alter the System file. The change to the System file results in alterations to the boot code under both Systems 6 and 7 that may render some systems unbootable, but will usually result in INIT files and System
extensions (respectively) not loading.
The virus also attempts to infect applications on the boot
volume and may damage the applications by overwriting
portions of the programs with the virus code. These damaged
applications *cannot* be repaired but must be reinstalled from
distribution or backup media.
Once installed and active, the virus does not appear to perform any
other overt damage. At least one version of the virus may print a
message when run after a certain number of files are infected by it.
This message identifies the infection as the T4 virus.
Virex will be updated to version 3.82 to detect the virus in any file, repair any file that has not been permanently damaged by the virus and repair the boot blocks. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to detect T4.
HOW TO UPDATE:
To update your 3.x copy of Virex to detect this virus, enter the following information into the 'Define Virus' section of the Virex application. You can immediately scan for the presence of this virus with Virex. After the next Restart, the Virex INIT will also scan all executed files and inserted diskettes for this virus.
