Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: steroid.txt

About the Macintosh "Steroid" Trojan




        There is a Trojan Horse called "Steroid".  It is an INIT that
        claims to speed up QuickDraw on Macintosh SE, Plus and earlier
        machines.  The INIT contains code that checks for the date being
        greater than July 1, 1990.  If it is, it will ERASE all mounted
        drives.

        Having the Comm Toolbox installed seems to interfere with the INIT
        and keep the erasure from happening.  The SE then simply crashes.

        Installing the INIT on a floppy disk and booting it on an SE with
        the system date set after July 1, 1990 causes the floppy and hard
        disk to be immediately erased.

	At this time it is known that the code does the following:

OPERATIONS AT RESTART:
----------------------
	DATE & TIME CHECK (Loop)
	SYSENVIRONS CHECK
	GETS VOLUME INFORMATION (probably checking for HFS)
	GETS SOME ADDRESSES (Toolbox traps)
	DOES SOME HFS DISPATCH OPERATIONS
	VOLUME IS REINITIALIZED to "Untitled"
 
INFORMATION:
------------
	TYPE:      INIT
	CREATOR:   qdac
	CODE SIZE: 1080
	DATA SIZE: 267
	ID:        148
	Name:      QuickDraw Accelerator
	File Name: "  Steroid" (First 2 characters are ASCII 1)
 
	The 2 invisible characters are there to make it load before SAM (or
other INITs).
	If you have renamed the file so that it runs after SAM (in general, NO unknown INITs should ever be allowed to run before SAM), then in advanced or custom modes you will get SAM alerts saying "There is an attempt to bypass the file system" when this Trojan attacks your volumes. Denying these attempts prevents the Trojan from doing any damage.
	You can enter the following virus definition in Virus Clinic to allow both SAM Intercept and Virus Clinic to detect this Trojan during scans.

   Virus Name:  Steroid Trojan
Resource Type:  INIT
  Resource ID:  148
Resource Size:  1080
Search String:  ADE9 343C 000A 4EFA FFF2 4A78    (hexadecimal)
String Offset:  96

	If you have entered this definition and have renamed the Trojan to run after SAM, then SAM Intercept will also notify you when this INIT is run at startup time.
	If your disk becomes erased, you can use SUM II Disk Clinic to recover the deleted files.

NOTE:
	This information comes from a number of sources and has been edited by Geoff Hartley for CVIA for clarification.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH