Symantec AntiVirus Research Center (SARC) has confirmed the existence of a new AppleScript worm called Mac.Simpsons@mm. The AppleScript worm targets users of Microsoft e-mail clients Outlook Express and Entourage.
When executed, it opens Outlook Express or Entourage and sends a copy of itself with the original message to everyone in the user’s address book.
“The title of the script is ‘Simpsons Episodes’. This virus does not appear to be particularly malicious,” said Symantec. “It appears to be similar to other mass mailing worms affecting the PC platform such as the ILOVEYOU virus. So far SARC has only received very few submissions of this worm.”
Symantec reports that the body of the message is as follows:
Hundreds of Simpsons episodes were just secretly produced and sent out on the internet, if this message gets to you, the episodes are enclosed on the attachment program, which will only run on a Macintosh. You must have system 9.0 or 9.1 to watch the hilarious episodes, in high quality. Just download and open it. From, <your name> -- To get random signatures put text files into a folder called "Random Signatures" into your Preferences folder. Symantec said that Microsoft’s Entourage e-mail client software should warn users before executing the AppleScript, which gives Mac users an opportunity to defeat this AppleScript worm before it executes. Outlook Express has no such feature, however.
Apparently the worm copies itself into the Startup Items folder inside the System Folder. Quitting either Internet Explorer or Entourage will cause the applications to relaunch. Symantec said that the worm also appears to delete all sent e-mail from the sent items folder (the e-mails can be rescued by dragging them from the deleted folder).
Symantec said that it’s working on an update to its virus eradication software, Norton AntiVirus for Macintosh (NAV), to fix the problem. In the interim, the company points to an unconfirmed solution put forth by Mac info site Macintouch:
“Let the machine start to boot up normally, and then hold the shift key down AFTER the extensions have loaded but BEFORE the Finder has launched. This will let you load a normal extension set, while still killing the virus. Then delete the virus from the Startup Items folder and continue on your merry way.”
Visit Symantec’s Web site for more details.