The Hong Kong Virus: What It Is, How It Works and How to Exterminate It by Robert Brakey Macintosh computers had not suffered from a new Mac-specific virus for several years, so as Avid users we didn't have much to worry about. The last real threat was INIT-29-B from April 1994. (Heard of it? Didn't think so). Since that time, the only viruses of concern were the macro viruses from Microsoft software, nothing that Disinfectant couldn't kill. That is, until May 1998, with the emergence in Hong Kong of the Autostart 9805 worm, or, as it's become more commonly known, the Hong Kong virus. The Hong Kong virus is actually not a virus but a worm, a program with multiple components that can regenerate and replicate themselves, much like the lovable creature they are named for. This particular worm has two components. The first is a tiny invisible application labeled "DB" which hides in the root directory of an infected disk, ready to transmit. Any type of HFS or HFS+ disk volume can be infected, from floppy disks to CD-ROMs to Jaz drives - even disk images. DB takes advantage of the Autostart feature of QuickTime 2.0 and later versions (originally designed by Apple to automatically play track one when an audio CD is mounted, or launch an application from a CD-ROM). When the infected disk is mounted, Autostart launches DB, which instantly installs the second component of the worm in the System folder of the boot drive, deceptively labeling it "Desktop Print Spooler." The computer will then instantly and unexpectedly restart itself to launch this new extension. Once Desktop Print Spooler has launched, the extension searches your system (and network, if you are connected) for all available and uninfected disk volumes, such as media drives. It will then install the DB component on each volume, transmitting itself to other workstations via these drives. Now comes the nasty part. The DB applications systematically scan all drives for data files that have common suffixes such as ".data," ".cod" or ".csa." When it finds such a file, it rewrites almost the entire first MegaByte of the data fork with random garbage. The damage is irreparable, and corrupted files must be restored if they are to be used again. Fortunately, Avid media files do not have these suffixes and are thus protected from this corruption. However, keep in mind that all of these invisible applications are continually running in the background. On a feature film employing 180 GB of storage in 20 9-GB partitions, up to 21 applications will then be running unnoticed, slowing down your computer until it comes to a grinding halt. Since its introduction, the Autostart 9805 worm has spawned several variant versions, labeled Autostart -B through -F. Variants -B, -C and -D were designed to have already killed themselves by now and so no longer pose a threat, but variants -E and -F still exist. These strains have the same component names, though, and can be detected and killed with the exact same method used for the original strain. Once a user knows the names of the components to look for and understands how the worm works, the Hong Kong Virus can be quickly located and terminated. Here's how to do it: First, go to your QuickTime Settings Control Panel. Select "Autoplay" in the pop-up at the top of the screen. Deselect "Enable Audio CD Autoplay" and "Enable CD-ROM Autoplay." If you use these features, at least disable them until you are able to install a suitable virus disinfectant. Second, use Find File (or Sherlock for OS 8.5) to search for the DB and Desktop Print Spooler applications. Use either name for the first criterion and add a second criterion, holding down the option key to enable this second criterion to be a file's visibility. Be sure to look for both components, as either half can regenerate the other. If you find these files, delete them. You may have to repeat the search a few times. Important: Do not confuse Desktop Print Spooler with Apple's Desktop Printer Spooler. Third, purchase and install an adequate virus disinfectant. Both Norton Antivirus v.5.0 and Virex v.05_02_98 are capable of the job. If you are uncertain about your current disinfectant software, consult the manufacturer and ask specifically about the Hong Kong virus. As of this writing, the latest version of the freeware Disinfectant cannot kill it. It's a great idea to not only automatically scan all drives you mount, but to also program a full scan at regular intervals, saving your documentation of the results. You can run Norton Antivirus late on a Sunday night and come in Monday morning to see a full report of the scan on your desktop. Finally, try to locate the source of infection, which will help prevent future spreading. Be very careful not to re-infect yourself; you should only do this kind of investigative work once your system has been completely disinfected. At the very least, contact all vendors and colleagues who could have given you the virus via a shared disk and let them know that you were infected. They can check their own equipment and help stop the spread for everyone. For more information on the virus, ample documentation is available on the Internet, from software manufacturers and beyond. (A good place to start is a special report, available on the 'Macintouch' site. You can also read about Guild members' experiences with this virus in our 'Technology' discussion group. Look for the 'Virus' thread). This worm has quickly spread around the world, wreaking havoc and locking up computers, but with the right information and preventative steps, you don't have to suffer.   Robert Brakey is an assistant editor and former Hong Kong virus victim. If you have any comments or feedback on this column, or an idea or suggestion for a future topic, email him Please include the word Avid in the subject of your e-mail.   Reprinted from The Motion Picture Editors Guild Newsletter Vol. 20, No. 1 - Jan/Feb 1999   Guild Home | Newsletter Home | Top of Page   Copyright © 1999, All Rights Reserved by The Motion Picture Editors Guild, IATSE Local 700