Sevendust
SevenDust
Type File virus
Creator
Date Discovered 1998.06
Place of Origin
Source Language
Platform MacOS
File Type(s) MDEF
Infection Length 850 bytes
Reported Costs

SevenDust is a Macintosh virus from 1998. It sometimes also goes by the name 666. The first few variants were relatively unremarkable, but later versions had features gradually added onto them, making a pretty complex virus. It was the first polymorphic virus for the Macintosh.

Behavior

The original version of SevenDust does little other than spread. It drops an extension with the name "666".

Variants

SevenDust.B

SevenDust.B is similar to the original, except that it has the added payload of deleting all non-application files. This variant is 1,342 bytes long.

SevenDust.C

SevenDust.C has no payload. It is polymorphic and encrypted. It is 1,576 bytes long.

SevenDust.D

SevenDust.D contains a symbiotic element that alters a 'WIND' resource from the host application and stores its contents within the virus's code. It is 2,036 bytes long.

SevenDust.E

SevenDust.E, is 2,352 bytes long and mostly similar to SevenDust.D. The symbiotic part alters a 'MENU' rather than 'WIND' resource. The extension name is 'Graphics Accelerator'. When the virus is run on the 6th or 12th of the month between 6:00 and 7:00 in the morning, it deletes non-application files on the default drive.

SevenDust.F

SevenDust.F is mostly similar to SevenDust.E, including most aspects of its malicious payload. The size of the infection varies from 2,844 to 3,836 bytes It uses both 'MENU' and 'WIND' for its symbiosis. The payload activates on the 6th of a month, not on the 12th. It creates a system extension with one of the following names:

  • Graphics Accelerator
  • CD-ROM Driver
  • VideoSync
  • Monitors Plug-In
  • Open Transport
  • PPP.Lib
  • ADSP Tool
  • Photo Access
  • Video Picker
  • ISO 9661 File Access
  • Serial Port
  • XMODEM.Lib
  • TCP/IP.Lib
  • Text Encodings
  • Power Enabler
  • Internet Library
  • AppleTalk Library
  • MacLinkPlus
  • Internet Config

These system extensions often have a legitimate version. The viral version is distinguished by the fact that it contains an invisible character at the beginning of the name and/or its creator is named 'ACCE'.

SevenDust.G

SevenDust.G modifies a 'MENU' resource to use its infected 'MDEF' resource. It uses the 'WIND' resource for symbiosis. It either adds an infected 'INIT' to the System file or creates an infected 'Graphics Accelerator' extension. It deletes non-application files on the 6th of any month between 6:00 and 7:00 AM.

Origin

SevenDust first appeared on the info-mac shareware site. A description included with the file suggested it was a program intended to speed up graphics routines:

Enclosed you will find my custom Graphics Accelerator that helps PPC macs speed graphics
programs up that use 68K code. It uses a custom blitting subroutine, and it should work
on PPC apps as well. Please include it in your Graphics/Utilities directory. Thank you
very much.

The file was pulled from the site in September of 1998. The source code was widely circulated, accounting for its variants and improvments.

Sources

Lee Gummerman. Symantec Antivirus, SevenDust. 2007.02.13

McAfee Antivirus, SevenDust and 666.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License