C y b e r M a c @ E x M a c h i n a ( M a i l i n g L i s t )
<http://www.cybercafe21.net> & <http://www.cybercafe21.tv>
Friday, June 8, 2001 03:45 ET
Yesterday, we noted reports of an AppleScript-based worm
<simpsonsvirus.html>, which, when launched, opens Outlook Express or
Entourage in the background and sends a copy of the original message, and
the script, entitled "Simpsons Episodes," to everyone in your address book.
We have received no reports of destructive behavior from the script,
however, but the script is compiled as run-only, so we cannot check its
contents.
We ran the script on a closed system, and were able confirm the activity
mentioned in the two emails - in our case, the script launched Entourage and
attempted to resend the message through a dummy account. (Before sending the
emails, Entourage did warn us of suspicious behavior and allowed us to
cancel the send process, but Dr. Bott's Eric Prentice adds that Outlook
Express offers no such warning.) Attempting to quit either Internet Explorer
or Entourage resulted in the applications' relaunching, and the only way we
could get our system back was to cycle the power and restart it with
extensions off, since the script copies itself to the Startup Items folder
in the System Folder.
We are waiting to hear back from some of the virus centers with more details
and additional confirmation, but the worm does appear to be similar to many
of the PC-specific Visual Basic scripts that have floated around the net
over the last few years:
[David Rarick] "I saw today that the Simpsons virus copies itself to
the Startup Items folder. You don't have to reboot with extensions off to
get the Finder to skip over the Startup Items. Let the machine start to boot
up normally, and then hold the shift key down AFTER the extensions have
loaded but BEFORE the Finder has launched. This will let you load a normal
extension set, while still killing the virus. Then delete the virus from the
Startup Items folder and continue on your merry way. This trick has saved me
numerous times, since I normally have a script in there (on purpose) that
launches a bunch of apps. If I'm in a hurry, just holding the shift key
after extensions have loaded lets me get to work quicker."
Rob Jorgensen reports that "Symantec has released another virus definition
update <http://www.sarc.com/avcenter/defs.download.html> [for June] dated
06/04/2001 (according to Finder's Get Info). The previous release was dated
06/01/2001."
Des Cadeaux, des avantages et des offres qui vous interessent ?
http://www.justforyou.be... what you want is what you get !
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CCMC vous est offert par Emakina <http://www.emakina.com>
Pour vous desabonner: <mailto:[EMAIL PROTECTED]>
