MacNN Forums (http://forums.macnn.com/)
-   Classic Macs and Mac OS (http://forums.macnn.com/classic-macs-and-mac-os/)
-   -   666 Extension (http://forums.macnn.com/64/classic-macs-and-mac-os/46715/666-extension/)

 
bezoar Dec 20, 2000 01:13 PM
666 Extension
Just a warning: this virus is still out there, i think i got it from a Hotline file. I'm going to try Virex first to get rid of it. here is the original thread about this virus. BEWARE!:
http://forums.macnn.com/cgi-bin/Foru...ML/001489.html
 
bezoar Dec 20, 2000 02:10 PM
virex did not detect it, so i used Agax. You MUST lock Agax or it will get corrupted with the virus. Also make sure to delete the 666 extension AND the source of the virus (usually a recently installed prog or file, which will show up somewhere in Agax's examination log) before you repair the HD. Thankfully Agax worked, the extension stopped appearing and the apps now open at normal speed....
 
oscar Dec 20, 2000 02:29 PM
Yet another reason to not use hotline, and instead, get all your software legally
 
bezoar Dec 20, 2000 06:13 PM
i don't think i mentioned getting any "illegal software," but thanks for insinuating....
 
Cipher13 Dec 20, 2000 09:30 PM
Heh.
I posted a thread about that a while ago, being infected.
Agax didn't work.
I manually killed that bitch virus...
If anyone gets it and doesn't have virus protection, heres what I did:
Get Super ResEdit. Open the extension and rip its guts out... delete the INIT resource. Then get info on it and lock it down, hard. Lock resources, set Finder flag locked, and so on.
Then remember every App you have opened since getting it, open it up, and you have to delete the virus from there, but I can't remember where it hides in there... dammit I'll check.
Throw away resedit, restart, delete the extension, restart, it shouldn't be there.
Hehe, killed.
Then go out and buy Virex and run it off the CD just to be sure its gone.

Make sure you have the latest Virex definitions file... and I also got it from Hotline.

Cipher13
 
Jsnuff1 Dec 20, 2000 10:30 PM
lol rip its guts out, i like your wording, ive never heard of this virus, what does it do?
 
Phaedrus Dec 20, 2000 10:49 PM
Where can I find a copy of super res edit? I did a sherlock search and came up short...lots of mac hacking sites, but only resedit, no super res edit.
 
Cipher13 Dec 21, 2000 02:37 AM
Phaedrus: try your mailbox? http://forums.macnn.com/cgi-bin/wink.gif
Jsnuff1: Its called Sevendust, aka 666, aka "that bitch that infected all my apps!", and so on http://forums.macnn.com/cgi-bin/wink.gif
Anyway, you can get it two ways... somethign installs the extension, or you open an infected app.
I haven't read about it, but from what I found out via first hand experience, whenever you launch an infected app, it checks to see if the extension is installed.
If it is? Leaves it alone.
If not? Installs it.
If the extension has been tampered with? Replaces it... it must verify some kind of checksum...
Anyway, when its loaded into memory, whenever you launch an application, it becomes infected.
And so the loop goes on, get what I mean?
Thats how it takes over your system...
Now as for damage, I didn't have any done to me.
I just now looked it up, and found almost nothing... apparently if started up between certain times or dates (can't remember which), or at certain times/dates, it will erase files...
So its not a very nice virus (although a nicely written one, to tell you the truth... its very good http://forums.macnn.com/cgi-bin/smile.gif)
So anyway, Virex will take care of it if you ever happen to get it...
I'll see if I can find that site again and post the dates/times/other conditions/whatever http://forums.macnn.com/cgi-bin/smile.gif

Cipher13
 
noliv Dec 21, 2000 04:31 AM
I heard that it's the 6 june that it erases the files... don't know if it's true (and I don't want to know...)

When I saw this extension which was re-installing itself automatically, I erased it and put a folder with the same name in its place... I didn't saw it anymore (an application is unable to replace a folder by a file, hehehe), but my apps are still infected...

Got it from hotline too...

------------------
http://www4.macnn.com/macnn/forums/ystar.gif Noliv
 
Cipher13 Dec 21, 2000 05:44 AM
June sixth definately rings a bell.
But I might be getting it mixed up with the 26th... Chernobyl is 26 isn't it?
Anyway, use Virex to get rid of it.
If you don't have it, download it, then buy it afterwards, if its an emergency.
Hehe, good thinking with the folder http://forums.macnn.com/cgi-bin/smile.gif

Cipher13
 
Richard Pinneau Dec 21, 2000 07:43 AM
Cipher,
I looked in MY mail box but didn't see Super ResEdit.
(hint, hint)
óRP
 
bezoar Dec 21, 2000 10:30 AM
Agax didn't work for me at first, in fact, when i first launched it, it would not open saying "Agax may have been infected w/ the virus and refuses to open." So I threw Agax out, unstuffed a new version, and locked it before launching it. Then it worked fine...the SuperResedit way sounds more fun though.

I happened to catch it early by noticing the extension in the system, but otherwise, you will also notice that when you open an app, it takes about 10 seconds to open. Don't know if it causes any more damage than that...
 
olePigeon Dec 22, 2000 12:36 AM

Just be lucky you're not on a Windows PC. They have about 50 times the virii as we do and have to put up with a lot more crap.
 
ethan79 Dec 22, 2000 04:48 AM
i was infected by sevendust too ... and the best part of it ..
i was a new machintosh user, just touch the ibook for only 2 days and i was given the "present" ... tink i was downloading some softwares.

Well .. i have forgotten whether it was norton anti-virus or disk first aid that i ran which discovered the problem ... it keeps on re-surfacing even after the problem was supposedly to be "fixed" ...
Was follow the instruction to repair and delete the file, but the THING keeps on coming back....

In the end, i used the wonderful restore CD and blast everything out of it. Had the partial restore, setting aside the files i want and then reinstall and drag out the files which i want to keep.
And finally the ibook is smiling again http://forums.macnn.com/cgi-bin/smile.gif
phew ... thought i was so LUCKY to received the coverted present..

The problem is ... i do not know how i got infected ......
does anyone have the idea why i got the virus ?
I suppose is because of the file i downloaded ?
But since the norton or disk first aid ( i cannot rememer ) can detect when i run the program .. why it cannot detect it when i was downloading the file if it was in the file ?

thank you
 
exa Dec 22, 2000 12:53 PM
Hmm, when I had Sevendust and tried using Agax (locked) it wiped all the virii but it resurfaced. Apparantely what happened was that my system files were corrupt (eg, the System) so I had to start up off a boot cd and then wipe evreything out and replace the system file... works fine now...
 
Cipher13 Dec 22, 2000 06:00 PM
You could have contracted it via the file you downloaded, very easily.
It may not have detected it becuase it was in a compressed archive, or because for some reason the virus definitions file didn't have Sevendust (which couldn't be right)... unless its an altered strain of it?

Uh-oh, you didn't drop your PowerBook did you??

Cipher13
 
Richard Pinneau Dec 23, 2000 08:06 AM
Cipher,
Mucho, mucho thanks for the "Super" email.
Don't want to impose on you, but if you get a chance to pull the related "Read Me" off the CD, I'll vote extra stars for you. http://forums.macnn.com/cgi-bin/smile.gif
[ I like to be well-read in the techniques before beginning self-brain-surgery ]
RP
 
Cipher13 Dec 23, 2000 07:09 PM
No prob, if you don't get the mail within 3 days, send me a reminder http://forums.macnn.com/cgi-bin/smile.gif
The original is archived on floppy disk (lol, I know http://forums.macnn.com/cgi-bin/wink.gif), so I just gotta pull it out. I know which disk so its no prob http://forums.macnn.com/cgi-bin/wink.gif
Just remind me to do it if you don't get it http://forums.macnn.com/cgi-bin/smile.gif

Cipher13
 
crazyjohnson Dec 25, 2000 08:37 AM
Great band . .

Quote
Originally posted by Cipher13:
. . . because for some reason the virus definitions file didn't have Sevendust . . .
 
Cipher13 Dec 26, 2000 03:26 AM
As Fenix*Tx would say...
"those guys *****n rule..."

Cipher13
 
All times are GMT -4. The time now is 10:54 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2