SevenDust G

Details

This strain is quite similar to 'E', but there have been a number of 'improvements' (although 'Time' is still used for Random numbers).Firstly, the static data segment has been moved inside the encrypted area of the virus - so there are no more giveaway unencrypted strings.

It also has a wider range of resources to wash out with 'f's (hex 0x66) - instead of just 'MENU's, it can now wash out 'WIND's too - and it employs a much simpler vicitim ID selection algo than E. It will choose 'WIND's 2/3rds of the time and 'MENU's the other third - but if it can't find a resource to wash out (e.g. has no 'WIND's) then it will not wash any (i.e. it won't do the symbiotic bit) - instead of not infecting the application.

The choice of the menu to hijack (i.e. set to use the viral MDEF instead of the system one) has also changed - it will now only hijack the Apple menu. This means that many of the unintended effects visible in 'E' (such as where it hijacked a popup menu) are no longer present - as long as the Apple menu is loaded first. This is unfortunate as it is now quite possible for the virus to go undetected until its trigger date...

It's trigger date has also changed. It is now between 6 & 7pm on the 6th day of any month. The payload however is the same - deleting every file (except apps) from the disk that the running infected app resides on. (Note: Previously I said that the E strain deleted 'from the system disk'. I think I was wrong - it's the same disk as the application)

This strain can also spread more easily than E can, as infected applications now attempt to infect all other applications in the same folder as themselves (they don't look inside subfolders 'tho). If your desktop looks anything like mine this would do quite a bit of infection. It still infects applications as they are run (as E does), if the virus loaded as an INIT at startup.

The INIT placement has also changed - instead of always residing in one file ('\001Graphics Accelerator'), it can now pick from a larger number of file names (but only one ever exists in any system). There is a list of these names below. Of much greater concern is that the virus can now infect the System file itself. 'INIT's in the System file are not disabled when the shift key is held down at startup, so if you did choose to 'disable extensions', then you would disable all of them (including antivirus ones probably) except the virus! It chooses the System file instead of a file in the Extensions folder 50% of the time.

This strain can install viral extensions into the Extensions folder with one of the following names (preceeded by the character 0x01), and with type 'INIT' and creator 'ACCE':
Graphics Accelerator; CD-ROM Driver; VideoSync™; Monitors Plug-In; Open Transport; PPP.Lib; ADSP Tool; Photo Access™; Video Picker™; ISO 9661 File Access; Serial Port; XMODEM.Lib; TCP/IP.Lib; Text Encodings; Power Enabler; Internet Library; AppleTalk Library; MacLinkPlus; Internet Config; Ethernet Ports.

It also has another remarkable feature given the changes that have been made to conceal its prescence; one out of every ten times that the MDEF is called (well, it would be if it used Ticks instead of Time, but it's about a 10% chance anyway), it brings up a window in the top left of the screen (50,50)-(79,63) and displays the text "666" in it in the system font for 1/6th of a second (then removes the window). So I guess it's pretty unlikely that it would go undetected for long after all!

Note: The old version of the Additive would likely have identified files infected with this virus, and thought it suceeded in repairing them, but when re-examined it would still think them infected. That's been my experience anyway - but I haven't tried to rationalise it or considered the consequences for the file ... especially as this new tailor-made Additive is now available :)


Story

17/2/99:
I receive a query from Jack Stroh about Agax, as it was insisting that it'd been tampered with when he'd only just expanded it. So I ask for a copy of the application, thinking that my self-checks have most likely gone awry in some nasty way.
19/2/99:
Examine the Agax received, and discover that it has indeed been tampered with - and by a new form of the virus it was originally designed to prevent! <irony> Trigger date is not 'till the 6th, so no big hurry.
21/2/99:
Analysis completed and updated Agax Additive written (updated Agax itself too). Beta testing was done by Jack, a willing volunteer :)


Back to SevenDust info
Back to Agax home page

Last updated 24/2/1999