Autostart Hunter 1.1

Updated: 9/29/98 (Includes manual)

Autostart Hunter is an utility application which detects the worm for Macintosh named `Autostart-9805´.

Download English version (116KB)

Japanese version


< About Autostart Hunter >

   Autostart Hunter is an utility application which detects the worm named `Autostart-9805´, move them to trash, then notice the user. I have heard that the worm destroys Type1 fonts data of CJK fonts, which are used with Adobe Type Manager. So, I decided to create easy-to-use utility. I know its user interface is quite poor (nearly nothing), but I think the timing is important. See Autostart Hunter's manual for more information.

   Although I thought the worm might disappear sooner after I released Autostart Hunter to the public (6/5/98), now I have an information that its new version may be able to infect without QuickTime, while I have not confirmed such a version yet.

   Autostart Hunter has been tested with only earlier version of Autostart-9805.

   Autostart Hunter is a freeware (free of charge to use it).
 

<Required System>

   MacOS 7.0 or later
   256KB of memory
 

< What is `Autostart-9805´? >

   The worm `Autostart-9805´ restarts your Macintosh system after infection, and was first found in May 1998, so it was named `Autostart-9805´. Here, we discuss about the original version (called `Type A´) while 6 variations have been confirmed at this time. You should check TidBITS (http://www.tidbits.com/) to get recent information.

   The worm takes advantage of a feature in QuickTime 2.0 (or later) which enables CD-ROMs to start a program immediately upon insertion. Infected disks contain an invisible application file named `DB´ in their root directory. When the infected disk (it can be HDD, MO, ZIP, JAZ etc.) is mounted, the DB application launches and copies itself to the Extensions folder of the active System Folder. The copy is named `Desktop Print Spooler´ and its type is `appe´. This background-only-application file is also invisible. The worm then restarts the computer, and reloads into memory via the invisible Desktop Print Spooler.

   Then the worm examines all mounted volumes about every 30 minutes, and attempts to infect any (that are not infected) by copying itself as `DB´ on the root directory. It then searches mounted volumes for files whose names end with `dat´, `data´, `cod´ or `csa´ and larger than certain size. When it finds such a file, the worm overwrites the data fork with garbage. Adobe Type Manager uses `csa´ files which contain Type1 outline data for CJK fonts, it must crash when it grabs garbage or specific characters are not displayed properly.

   If you were already infected, you can find such a file with utility application such as ResEdit. If so, you should cancel their invisible attributes of Finder info, otherwise you cannot trash them. As TidBITS says, the worm will take different scheme (name, type, directory) in the future. Actually, according to TidBITS dated 5/25/98, 2 variations (Type B and C) were confirmed, and now, according to MacPower Oct. 1998 (magazine issued in Japan), 6 variations were confirmed.
 

<What Autostart Hunter does>

   About all mounted volumes, Autostart Hunter seeks invisible application file on their root directory, and invisible background-only-application file in Extensions folder. If it found any, it cancels their invisible attributes (so that they are visible), move them into the trash, then notice the user. However, for the locked volume (e.g. CD-ROMs), it only warns the user evrytime it founds any, since any information cannot be changed.

   See Autostart Hunter's manual for more information.


YUKOS WORLD CO., LTD.

1-30-27 INOKASHIRA MITAKA-CITY,
TOKYO 181-0001 JAPAN
FAX: +81-422-44-0993
Email: Webmaster


Copyright ©1998-2003 Yukos World Co., Ltd.  All Rights Reserved.