McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This virus only hits applications on Apple Macintosh computers.

Symptoms

When the virus activates (with 25% probability on Mondays or on August 22) it creates a video demonstration on the screen: the desktop shows worms moving in various directions (yellow heads with black tails). They start from the edges of the screen and when they hit the middle they gradually reveal a big red letter '' composed of three rectangles. The worms get "trapped" inside these rectangles and now look like yellow balls bouncing off inside their borders. Later, a message is displayed above the big letter '' and it changes colors:

You have been hacked by Praetorians!

(this screenshot was taken in the middle of the payload)

The virus also carries the following string:

"Some files could not be opened from within the Finder.
Try opening them from within their respective application."

The virus can delete antivirus programs. All infected programs have TEXT 8650 resource that the virus uses for self-recognition.

Method of Infection

The virus recursively scans for suitable targets of 'APPL' type on a selected volume. It will infect any such target with 50% probability. Infected applications will have the virus body added as a CODE resource (and the jump table is patched to point to the virus body). The original files are saved in hidden files with names consisting of random uppercase characters. So the infection method is of "companion" type.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus only hits applications on Apple Macintosh computers.

Symptoms

Symptoms -

When the virus activates (with 25% probability on Mondays or on August 22) it creates a video demonstration on the screen: the desktop shows worms moving in various directions (yellow heads with black tails). They start from the edges of the screen and when they hit the middle they gradually reveal a big red letter '' composed of three rectangles. The worms get "trapped" inside these rectangles and now look like yellow balls bouncing off inside their borders. Later, a message is displayed above the big letter '' and it changes colors:

You have been hacked by Praetorians!

(this screenshot was taken in the middle of the payload)

The virus also carries the following string:

"Some files could not be opened from within the Finder.
Try opening them from within their respective application."

The virus can delete antivirus programs. All infected programs have TEXT 8650 resource that the virus uses for self-recognition.

Method of Infection

Method of Infection -

The virus recursively scans for suitable targets of 'APPL' type on a selected volume. It will infect any such target with 50% probability. Infected applications will have the virus body added as a CODE resource (and the jump table is patched to point to the virus body). The original files are saved in hidden files with names consisting of random uppercase characters. So the infection method is of "companion" type.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

N/A