An INIT called STEROID has been discovered to be a Trojan Horse. It falsely claims to accelerate QuickDraw on 9" monitors but in fact contains a time bomb that will erase all mounted volumes (floppies and hard disks) on July 1st, 1990. Apparently erased files can be recovered with SUM II (Symantec Utilities for Macintosh) and probably with other file recovery utilities. Needless to say, disable this INIT immediately and do not depend on one of the file recovery utilities. Strangely enough, having the Communication Toolbox installed seems to prevent STEROID from working.
The details of STEROID’s identity are as follows:
TYPE : INIT CREATOR : qdac CODE SIZE : 1080 DATA SIZE : 267 ID : 148 INIT Resource Name: QuickDraw Accelerator File Name : " Steroid" (First 2 characters are ASCII 1) Created : June 2, 1990, 11:24 AM Version : Steroid 1.1
Note the two invisible characters in front of the file name. They ensure that STEROID will load before SAM and other virus prevention utilities that might stop STEROID. Paul Cozza, author of SAM (Symantec AntiVirus for Macintosh) says that SAM would flag STEROID if and only if SAM loads before STEROID, which does not happen currently due to the two invisible characters before STEROID’s name. No unknown INITs should ever be allowed to run before SAM for just this reason.
If you use SAM, you can enter the following virus definition in Virus Clinic to allow both SAM Intercept and Virus Clinic to detect this Trojan during scans.
Virus Name: Steroid Trojan Resource Type: INIT Resource ID: 148 Resource Size: 1080 Search String: ADE9 343C 000A 4EFA FFF2 4A78 (hex) String Offset: 96
If you use Virus Detective 4.x, you can enter the following search string to find STEROID.
Resource INIT & Size<1200 & WData FE680C6E#E4EBA#F60 ; For finding Steroid Trojan
Chuq Von Rospach — [email protected]
Joel B. Levin — [email protected]
Paul Cozza — SAM Author