exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

a-26.ciac-steroid-trojan-horse

a-26.ciac-steroid-trojan-horse
Posted Sep 23, 1999

a-26.ciac-steroid-trojan-horse

tags | trojan
SHA-256 | 05192e140e98ba1f8c0d2318851f2642ddd2a3f1c26c9a707f5233cc8cef9211

a-26.ciac-steroid-trojan-horse

Change Mirror Download

FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY

CIAC

INFORMATION BULLETIN
________________________________________________________________________

A New Macintosh Trojan Horse Threat--STEROID


June 7, 1990, 1100 PST Number A-26

_______________________________________________________________________
Name: Steroid trojan horse
Types: Only one known variant
Platform: Apple Macintosh computers
Damage: Erases all mounted disks
Symptoms: Can be identified by:
TYPE: INIT
CREATOR: QDAC
Code Size: 1080
Data Size: 267
ID: 148
Name: QuickDraw Accelerator
File Name: " Steroid" (First 2 characters are ASCII 1)
Detection/Eradication: Examine system folder; if Steroid is there,
save a copy and then drag the icon to the trash folder and empty trash.
______________________________________________________________________
Critical Steroid Facts

A Macintosh trojan horse called "Steroid" has been discovered. The purported
purpose of Steroid is to make QuickDraw run faster on computers with 9 inch
screens. Steroid is actually an INIT that contains malicious code to check
for the system date and to erase all mounted disks if this date is July 1, 1990
or afterwards. (Note: earlier reports indicated that June 6, 1990 is the
trigger date, but the sources of these reports now claim that July 1 is the
trigger date.)

Steroid is a trojan horse, not a virus, and thus is limited in ability to
spread. This trojan horse is a genuine threat; however, because it is being
posted to electronic bulletin boards, and has already been downloaded by
unsuspecting users on the West Coast. If you use a bulletin board, make sure
that you do not download any software claiming to improve QuickDraw performance
or related in any way to "Steroid." Since "Steroid" is an INIT, you would have
had to put it in your system folder to have this trojan horse. If you are
unsure if you have installed "Steroid," look in your system folder for start-up
documents with the name "Steroid" or "Quickdraw Accelerator." Another detection
method is to use RESEDIT; look for documents in the system folder with the
Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267.

If your Macintosh computer contains this INIT, please make a copy on a floppy
before you do anything else and send that copy to CIAC at your earliest
convenience. Then drag the Steroid INIT to the trash icon and empty the trash.
If you unknowingly have used Steroid before July 1, 1990, no damage appears
possible at this time. It is important, however, to determine if you have
shared Steroid with anyone else, and, if so, to notify them of the information
in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been
advised that you can recover if you use the SUM II Disk Clinic tool to restore
erased files. Do not use the machine until you have recovered the files using
SUM. CIAC can provide more detailed procedures in this case.

The following is an excerpt from a bulletin board posting by Apple:
________________________________________________________________________
So far, we know that the code does the following:

OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"

INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelerator
File Name: " Steroid" (First 2 characters are ASCII 1)

WHAT TO DO:
-----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work.

IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.
________________________________________________________________________
For additional information or assistance, please contact CIAC:

Eugene Schultz
(415) 422-8193 or (FTS) 532-8193
FAX: (415) 294-5054, (415) 423-0913 or (415) 422-4294

You may also send e-mail to:

ciac@tiger.llnl.gov

Neither the United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor the
University of California, and shall not be used for advertising or product
endorsement purposes.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close