Welcome to the MacNN Forums.

bezoar · Dec 20, 2000, 02:13 PM

Just a warning: this virus is still out there, i think i got it from a Hotline file. I'm going to try Virex first to get rid of it. here is the original thread about this virus. BEWARE!:
http://forums.macnn.com/cgi-bin/Foru...ML/001489.html

bezoar · Dec 20, 2000, 03:10 PM

virex did not detect it, so i used Agax. You MUST lock Agax or it will get corrupted with the virus. Also make sure to delete the 666 extension AND the source of the virus (usually a recently installed prog or file, which will show up somewhere in Agax's examination log) before you repair the HD. Thankfully Agax worked, the extension stopped appearing and the apps now open at normal speed....

oscar · Dec 20, 2000, 03:29 PM

Yet another reason to not use hotline, and instead, get all your software legally

bezoar · Dec 20, 2000, 07:13 PM

i don't think i mentioned getting any "illegal software," but thanks for insinuating....

Cipher13 · Dec 20, 2000, 10:30 PM

Heh.
I posted a thread about that a while ago, being infected.
Agax didn't work.
I manually killed that bitch virus...
If anyone gets it and doesn't have virus protection, heres what I did:
Get Super ResEdit. Open the extension and rip its guts out... delete the INIT resource. Then get info on it and lock it down, hard. Lock resources, set Finder flag locked, and so on.
Then remember every App you have opened since getting it, open it up, and you have to delete the virus from there, but I can't remember where it hides in there... dammit I'll check.
Throw away resedit, restart, delete the extension, restart, it shouldn't be there.
Hehe, killed.
Then go out and buy Virex and run it off the CD just to be sure its gone.

Make sure you have the latest Virex definitions file... and I also got it from Hotline.

Cipher13

Jsnuff1 · Dec 20, 2000, 11:30 PM

lol rip its guts out, i like your wording, ive never heard of this virus, what does it do?

Dec 20, 2000, 11:49 PM

Where can I find a copy of super res edit? I did a sherlock search and came up short...lots of mac hacking sites, but only resedit, no super res edit.

Cipher13 · Dec 21, 2000, 03:37 AM

Phaedrus: try your mailbox?

Jsnuff1: Its called Sevendust, aka 666, aka "that bitch that infected all my apps!", and so on

Anyway, you can get it two ways... somethign installs the extension, or you open an infected app.
I haven't read about it, but from what I found out via first hand experience, whenever you launch an infected app, it checks to see if the extension is installed.
If it is? Leaves it alone.
If not? Installs it.
If the extension has been tampered with? Replaces it... it must verify some kind of checksum...
Anyway, when its loaded into memory, whenever you launch an application, it becomes infected.
And so the loop goes on, get what I mean?
Thats how it takes over your system...
Now as for damage, I didn't have any done to me.
I just now looked it up, and found almost nothing... apparently if started up between certain times or dates (can't remember which), or at certain times/dates, it will erase files...
So its not a very nice virus (although a nicely written one, to tell you the truth... its very good

)
So anyway, Virex will take care of it if you ever happen to get it...
I'll see if I can find that site again and post the dates/times/other conditions/whatever

Cipher13

noliv · Dec 21, 2000, 05:31 AM

I heard that it's the 6 june that it erases the files... don't know if it's true (and I don't want to know...)

When I saw this extension which was re-installing itself automatically, I erased it and put a folder with the same name in its place... I didn't saw it anymore (an application is unable to replace a folder by a file, hehehe), but my apps are still infected...

Got it from hotline too...

------------------

Noliv

Cipher13 · Dec 21, 2000, 06:44 AM

June sixth definately rings a bell.
But I might be getting it mixed up with the 26th... Chernobyl is 26 isn't it?
Anyway, use Virex to get rid of it.
If you don't have it, download it, then buy it afterwards, if its an emergency.
Hehe, good thinking with the folder

Cipher13

Richard Pinneau · Dec 21, 2000, 08:43 AM

Cipher,
I looked in MY mail box but didn't see Super ResEdit.
(hint, hint)
�RP

bezoar · Dec 21, 2000, 11:30 AM

Agax didn't work for me at first, in fact, when i first launched it, it would not open saying "Agax may have been infected w/ the virus and refuses to open." So I threw Agax out, unstuffed a new version, and locked it before launching it. Then it worked fine...the SuperResedit way sounds more fun though.

I happened to catch it early by noticing the extension in the system, but otherwise, you will also notice that when you open an app, it takes about 10 seconds to open. Don't know if it causes any more damage than that...

olePigeon · Dec 22, 2000, 01:36 AM

Just be lucky you're not on a Windows PC. They have about 50 times the virii as we do and have to put up with a lot more crap.

ethan79 · Dec 22, 2000, 05:48 AM

i was infected by sevendust too ... and the best part of it ..
i was a new machintosh user, just touch the ibook for only 2 days and i was given the "present" ... tink i was downloading some softwares.

Well .. i have forgotten whether it was norton anti-virus or disk first aid that i ran which discovered the problem ... it keeps on re-surfacing even after the problem was supposedly to be "fixed" ...
Was follow the instruction to repair and delete the file, but the THING keeps on coming back....

In the end, i used the wonderful restore CD and blast everything out of it. Had the partial restore, setting aside the files i want and then reinstall and drag out the files which i want to keep.
And finally the ibook is smiling again

phew ... thought i was so LUCKY to received the coverted present..

The problem is ... i do not know how i got infected ......
does anyone have the idea why i got the virus ?
I suppose is because of the file i downloaded ?
But since the norton or disk first aid ( i cannot rememer ) can detect when i run the program .. why it cannot detect it when i was downloading the file if it was in the file ?

thank you

exa · Dec 22, 2000, 01:53 PM

Hmm, when I had Sevendust and tried using Agax (locked) it wiped all the virii but it resurfaced. Apparantely what happened was that my system files were corrupt (eg, the System) so I had to start up off a boot cd and then wipe evreything out and replace the system file... works fine now...

Cipher13 · Dec 22, 2000, 07:00 PM

You could have contracted it via the file you downloaded, very easily.
It may not have detected it becuase it was in a compressed archive, or because for some reason the virus definitions file didn't have Sevendust (which couldn't be right)... unless its an altered strain of it?

Uh-oh, you didn't drop your PowerBook did you??

Cipher13

Richard Pinneau · Dec 23, 2000, 09:06 AM

Cipher,
Mucho, mucho thanks for the "Super" email.
Don't want to impose on you, but if you get a chance to pull the related "Read Me" off the CD, I'll vote extra stars for you.

[ I like to be well-read in the techniques before beginning self-brain-surgery ]
RP

Cipher13 · Dec 23, 2000, 08:09 PM

No prob, if you don't get the mail within 3 days, send me a reminder

The original is archived on floppy disk (lol, I know

), so I just gotta pull it out. I know which disk so its no prob

Just remind me to do it if you don't get it

Cipher13

crazyjohnson · Dec 25, 2000, 09:37 AM

Great band . .

Originally posted by Cipher13:
. . . because for some reason the virus definitions file didn't have Sevendust . . .

Cipher13 · Dec 26, 2000, 04:26 AM

As Fenix*Tx would say...
"those guys *****n rule..."

Cipher13