Seven Dust 666

MacOS/SevenDust Type Virus SubType Macintosh Discovery Date 06/01/1998 Length varies Minimum DAT N/A (11/28/2005) Updated DAT 4638 (11/28/2005) Minimum Engine N/A Description Added 12/13/2002 Description Modified 12/13/2002 11:07 AM (PT) Risk Assessment: Corporate User Low Home User Low Overview: This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another. Aliases: • 666 • Graphics Accelerator • Mac/SevenD • Mac/Sevendust • MDEF 666 • MDEF 9806 • MDEF E Characteristics: This is a family of seven viruses that infect Apple Macintosh applications by modifying MDEF resource. Some variants drop a system extension (ex., called '666' or 'Graphics Accelerator'), some introduce a new INIT resource in the System file. The variant known as 'Graphics Accelerator' (variant .f) first appeared on the Info-Mac shareware archives. The file's author claimed that it was a custom extension that would speed up graphics routines in applications written for Motorola 68000-series processors, but run on computers with PowerPC processors. A file description included with it read: "Enclosed you will find my custom Graphics Accelerator that helps PPC macs speed graphics programs up that use 68K code. It uses a custom blitting subroutine, and it should work on PPC apps as well. Please include it in your Graphics/Utilities directory. Thank you very much." This file was pulled from the site in September 1998. The source code for some SevenDust variants was circulated in the Internet so this family has many variants most likely written by different people. Latest strains are the first polymorphic viruses to appear on the Mac OS platform. Page 1 Symptoms: Presence of '666' or '\001Graphics Accelerator' in the Extensions folder. Note that the extension dropped by the virus has an invisible character in front which makes it difficult to distinguish the file from a legitimate video driver from ATI that has 'Graphics Accelerator' name! The latest variant may drop its extension under different names but always has the first invisible character. Variants .a-.d do not have any damaging payload. But computers infected with the most common variant (aka 'Graphics Accelerator') erase all non-application files started during the sixth hour of the 6th or 12th day of any month. Method of Infection: Members of this family hit MDEF and INIT resources. Infected applications have MDEF resource, the System has INIT. There are seven known variants: Variant .a Only hi…