|[10:00 AM] Symantec Identifies Trojan Horse Virus Reported Last Week
Last week we posted a story about some trojan horse viruses discovered by HOnzua Koudelka of Czechoslovakia. In that report, we relayed the excellent work that Mr. Koudelka and other members of his Czech Mac User's Group had done in tracking down the source of the problem. While that work was sent to Network Associates, makers of Virex, Symantec contacted Mr. Koudelka (with a little help from us), and subsequently got down to the bottom of the situation. If you need more information on this story, check out the original post.
The company tells The Mac Observer that the files are not technically viruses, but are in fact Trojan Horse pranks. However, and this is important, the company stressed that they don't like to announce pranks because people may tend to consider these files to be "safe." Should these files later be modified to become more malicious, people may not take them seriously. Subsequently, Symantec has offered us a description of what the symptoms might be if you installed one of these pranks. According to Symantec:
There was a bug in the installer logic of one of the files that caused it to install a bad Open Tpt Internet Library, which will cause a crash on startup, but will not delete files or otherwise cause damage. This mistake was so blatant and sloppy that we felt it was not intentional. One of the trojans simply moved the mouse cursor to the bottom of the screen after 50 seconds of inactivity, and the other gradually and progressively dimmed the screen until it was at something like 25% brightness. The visual cues (mouse cursor moving off the screen, screen dimming slowly) indicate that someone has picked up one of these trojans.
Also, if the user is experiencing a crash at startup during the extension loading phase, we suggest that he or she look for the file "Open Tpt Internet Library" or "OpenTptInternetLib" in the Extensions folder. In System 8.5.1 the first of these files is around 450K, and the second is around 250K. The bogus versions of these files will only be about 8K in size. Provided that there are no other problems, removing the bogus file will allow the Mac to be restarted successfully.
The files "OpenTptSerial" and "OpenTptLibrary", which look like legitimate shared libraries, but which are actually extensions that perform the pranks, are installed by these trojans.
Also, as usual, Symantec would stress that all Mac users obtain, and make use of, an anti-virus program, and that they keep their virus definitions up to date. Norton AntiVirus 6.0 for Macintosh has been designed to make the updating procedure as quick and as painless as possible, and we naturally recommend it. The web site http://www.symantec.com/avcenter/ contains information about viruses and hoaxes, as well as other kinds of attacks on users systems.
The company will be including these latest files in their next release of the Norton Anti Virus (NAV) virus definitions. The most recent definitions do not include information on dealing with these files.
The Mac Observer Spin: Kudos to Symantec for dealing with this so fast and working to keep the Mac community informed. Kudos to Mr. Koudelka for finding the problem in the first place!