|Place of Origin||China|
|File Type(s)||PEF executable|
|Infection Length||53,152 bytes|
Autostart is the first and only Macintosh worm. It origninated in China managed to become preinstalled on a number of CD's from software vendors.
When a disk infected with Autostart is mounted on a Power PC Mac running QuickTime 2.0 or later the worm, a file named "DB" is launched. It is a hidden application file with the creator listed as "????". It copies itself to the Extensions folder. It changes its name to "Desktop Printer Spooler", a file which will also be hidden. Autostart then restarts the computer.
Autostart is automatically launched when the computer is restarted. Every thirty minutes the worm checks mounted volumes and infects uninfected volumes, placing the hidden file "DB" at the root of the drive.
After checking the mounted volumes, the worm looks for files ending in "cod", "csa", and "data" with data forks over 100 bytes. Files with names ending in "dat" are targeted if their resource and data fork size total more than 2 megabytes. These files are overwritten with up to a megabyte of garbage. The first byte is set to zero, which will cause the worm to overlook the file the next time it looks at it.
In Hong Kong it spread to many advertising agencies, output bureaus, publishing houses, and printers in Hong Kong, including the BBDO agency. From there, it made it to Taipei, Taiwan. By May 4, it made its first landing in North America in Vancouver, BC, Canada. By June 7, it had reached the North American eastern seaboard, with a massive outbreak in Atlanta.
CorelDRAW 8.0 for Macintosh CD-ROMs were shipped with the worm in October of 1998. While Corel claimed that this problem was spotted before the worm reached customers, it still had to recall some CDs.
A Wacom Intuos version 4.12 CD was also infected with the worm. Like the Corel CD's, they were recovered before the worm became widespread, however, there were a few sold with the worm. It was only on the US version of the CD, not on the foreign versions.
It was found preinstalled on a large number of other things, including, but probably not limited to the following list. All are CD's unless otherwise noted.
- a Linux for Power PC distribution
- Sierra's Hoyle Card Games CD for Mac or Windows (Autostart.D)
- Brio Enterprise 5.5.5
- a "www.stockphoto.com" CD
- MOTU Digital Performer 2.43
- MacWorld Games
- MacAddict (Autostart.D)
- an Agfa Scanner driver CD
- a GCC printer installer CD
- a Xante printer utility CD (Autostart.D)
- Konica "Picture Show" (floppy, also with an unnamed trojan)
- a BIOPAC demo CD
- CoStar LabelWriter
- a Tony Stone stock photos CD (some were found with "signs of infection", but no actual worm)
- Umax Astra 1220U Scanner Driver (with multiple viruses)
- a Digital Performer CD
- an IPEX 98 CD
- an Alfa Romeo advertisement CD
- a Marilyn Manson CD (a "dead" non-working copy)
- an NFOEC Proceedings library CD
- Photo/Graphic Edges 4.0
- the SIS Nostalgia Collection
- Digital Vision (several UK titles)
- Activision Pukka PR
A few free utilities were created to combat the worm, including WormFood and Eradicator.
An unconfirmed report says Autostart originated in China, where half the output/prepress centers were reportedly affected. The report also says it was a part of an attempt to extort money from the victims for disinfection. The worm was first reported in Hong Kong in mid spring by desktop publishers.
There are a few rare variants of Autostart going up to Autostart.D. Versions C and D delete earlier versions of the worm and cause no harm to the system. Some may also have slightly different file names.
Daniel Radu. BitDefender Antivirus, Worm.Mac.Autostart.A.
Tony Smith. The Register,Corel infected CDs recalled. 1998.10.05
Tucows, Download WormFood.