FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE ________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ A New Macintosh Trojan Horse Threat--STEROID June 7, 1990, 1100 PST Number A-26 _______________________________________________________________________ Name: Steroid trojan horse Types: Only one known variant Platform: Apple Macintosh computers Damage: Erases all mounted disks Symptoms: Can be identified by: TYPE: INIT CREATOR: QDAC Code Size: 1080 Data Size: 267 ID: 148 Name: QuickDraw Accelerator File Name: " Steroid" (First 2 characters are ASCII 1) Detection/Eradication: Examine system folder; if Steroid is there, save a copy and then drag the icon to the trash folder and empty trash. ______________________________________________________________________ Critical Steroid Facts A Macintosh trojan horse called "Steroid" has been discovered. The purported purpose of Steroid is to make QuickDraw run faster on computers with 9 inch screens. Steroid is actually an INIT that contains malicious code to check for the system date and to erase all mounted disks if this date is July 1, 1990 or afterwards. (Note: earlier reports indicated that June 6, 1990 is the trigger date, but the sources of these reports now claim that July 1 is the trigger date.) Steroid is a trojan horse, not a virus, and thus is limited in ability to spread. This trojan horse is a genuine threat; however, because it is being posted to electronic bulletin boards, and has already been downloaded by unsuspecting users on the West Coast. If you use a bulletin board, make sure that you do not download any software claiming to improve QuickDraw performance or related in any way to "Steroid." Since "Steroid" is an INIT, you would have had to put it in your system folder to have this trojan horse. If you are unsure if you have installed "Steroid," look in your system folder for start-up documents with the name "Steroid" or "Quickdraw Accelerator." Another detection method is to use RESEDIT; look for documents in the system folder with the Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267. If your Macintosh computer contains this INIT, please make a copy on a floppy before you do anything else and send that copy to CIAC at your earliest convenience. Then drag the Steroid INIT to the trash icon and empty the trash. If you unknowingly have used Steroid before July 1, 1990, no damage appears possible at this time. It is important, however, to determine if you have shared Steroid with anyone else, and, if so, to notify them of the information in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been advised that you can recover if you use the SUM II Disk Clinic tool to restore erased files. Do not use the machine until you have recovered the files using SUM. CIAC can provide more detailed procedures in this case. The following is an excerpt from a bulletin board posting by Apple: ________________________________________________________________________ So far, we know that the code does the following: OPERATIONS AT RESTART: ---------------------- DATE & TIME CHECK (Loop) SYSENVIRONS CHECK GETS VOLUME INFORMATION (probably checking for HFS) GETS SOME ADRESSES (Toolbox traps) DOES SOME HFS DISPATCH OPERATIONS VOLUME IS REINITIALIZED to "Untitled" INFORMATION: ------------ TYPE: INIT CREATOR: qdac CODE SIZE: 1080 DATA SIZE: 267 ID: 148 Name: QuickDraw Accelerator File Name: " Steroid" (First 2 characters are ASCII 1) WHAT TO DO: ----------- If your disk becomes erased, you can use SUM II Disk Clinic to recover the deleted files. We have tried this and it seems to work. IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY. ________________________________________________________________________ For additional information or assistance, please contact CIAC: Eugene Schultz (415) 422-8193 or (FTS) 532-8193 FAX: (415) 294-5054, (415) 423-0913 or (415) 422-4294 You may also send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.