mac virus?
April 25, 2007 6:08 PM   Subscribe

how did my mac get a virus???

i have an ibook g4 and use firefox. in the past couple of days, yahoo mail has not been letting me attach word docs as attachments because yahoo's virus blocker says the files are infected with "W97M.Thus.Family".

this only applies to .doc files. it even happens if i just copy and paste all the text into a new .doc file. however, i can save the document as an .rtf and send it with no problem.

i did accidentally open a piece of spam about a week ago, but i didn't open any attachments.

what happened? i thought macs weren't supposed to get viruses!
posted by thinkingwoman to Computers & Internet (32 answers total) 4 users marked this as a favorite
 
MSWord viruses are portable between Windows and the Mac. You can get infected by opening an infected .DOC file.

As to "Macs aren't supposed to get viruses", there are Mac viruses out there. But the bad guys prefer to shoot for bigger and more numerous targets.
posted by Steven C. Den Beste at 6:20 PM on April 25, 2007


Response by poster: so how do i fix it? what's the standard virus-zapper for macs?
posted by thinkingwoman at 6:25 PM on April 25, 2007


Best answer: Where these documents moved from a Windows system? Do you dual-boot to a Windows OS (and use Firefox from there)? Where these documents originally sent to you through email?

Macs are just as susceptible to viruses as Windows systems. Though, in the near past, the likelihood that someone would take their time to actually write a malicious worm for Mac OS was slim. Still there have been proof-of-concept viruses written for OSX.

I would recommend running ClamXav to detect if you have any viruses. But switch to a commercial virus scanning software product if none are detected. Though my advice is limited to that, I am unaware of any exemplary commercial virus scanners for OSX.

On preview: Mr. Den Beste, are you aware if MS Word macro viruses or embedded document viruses can adversely affect Mac OS systems?
posted by Colloquial Collision at 6:28 PM on April 25, 2007


There's a whole class of W97M.Thus viruses that affect Office applications. I'm not a virus expert, but I'd recommend installing any Office updates that might be available, and/or reinstalling the Office application.

on preview: yes, it affects macs. although it may just act as a carrier.
posted by phaedon at 6:30 PM on April 25, 2007


Sometimes Word Macro viruses hide themselves in the Normal template. It resides in ~/Documents/Microsoft User Data/ and Word will "regenerate" a fresh copy if you delete it. If a virus checker doesn't fix it, try nuking the template.
posted by :-) at 6:32 PM on April 25, 2007


Response by poster: upon further reflection, i do remember being alerted by yahoo that a word doc that was mailed to me (by a known source) was infected with this but that yahoo's norton antivirus had cleaned it. this was months and months ago, though.

i don't run windows anything, and come to think of it, neither do any of the people i normally share word docs with.
posted by thinkingwoman at 6:36 PM on April 25, 2007 [1 favorite]


Whatever file it was that infected you is waiting to infect you again if you ever open it again. Just removing the current infection is not enough; you'll need to locate the infection vector and do something about it, too. That's why you'll need some sort of virus scanning program that checks every .DOC file on your system.
posted by Steven C. Den Beste at 6:39 PM on April 25, 2007


Phaedon, when you state it affects Macs, would this particular strain of virus only harm MS Office, or harm the entire security and stability of the OSX system?

I don't mean to get off-topic, I apologize. I'd just like to gauge the severity of an MS Word document virus on a Macintosh.

On preview: Ms. thinkingwoman, is this the same document? If it's not, and the virus is on all your Word documents, then your Mac may have a virus. Also I would second the recommendation of deleting the templates in MS Word, should this be the case.
posted by Colloquial Collision at 6:42 PM on April 25, 2007


If you configure Word not to run macros on startup (which is the default on recent versions) you will avoid the need for a dedicated virus program. Do that, then ditch Normal.dot and you should be good to go. Tell your friends to do the same.

The good news is, they are removing Visual Basic support from the next Mac version of Office, so this problem will go away.
posted by kindall at 6:44 PM on April 25, 2007


CC: Like I said, I haven't dealt directly with viruses, well, since OS X hit the market. But that doesn't mean I'm not knocking on wood.

Sometimes I'll get some demon-possessed preference conflicts in X, but those are pretty easy to fix.
posted by phaedon at 7:04 PM on April 25, 2007


Response by poster: i ran clamxav on my microsoft office file and it found the virus in my "normal" template, as the smiley one above intuited. i created a quarantine folder and had clamxav put it there. i then dragged it to the trash and emptied it.

i am now able to attach .doc files to my yahoo mail--no viruses detected.

and yes, this was happening with several different docs.

thanks all! my problem is solved, but continue to discuss if you like--i don't understand all of it, but i should educate myself more about this anyway.
posted by thinkingwoman at 7:10 PM on April 25, 2007


I'm really interested in this one; I've never heard of a Word virus that used a Mac for anything other than a carrier. I'd try running ClamXAV just to see if it catches anything -- who knows, maybe you've found something new!

And then I'd nuke those template files like other people have suggested.

In the future, unless you absolutely need it, totally disabling the Macro features/functionality in Word and other Office apps seems like a no-brainer to me, given the amount of crap that seems to abuse it.
posted by Kadin2048 at 7:12 PM on April 25, 2007


I did some poking around in Symantec's virus database for your particular virus. Sadly "W97M.Thus.Family" only narrows it down to a family of Word 97 macro viruses and not just one. Some of these viruses are relatively benign and don't do much other than just spread to additional documents without doing anything else. Others attempt to do things like deleting all files in and below the folder they exist in at some pre-ordained time.

I'm not a Mac-head, but I do antivirus and antispam software design for email servers, which is a slightly different thing. I would take Colloquial's advice about doing an initial scan of your machine (and subsequent scans).

Steven Beste is also correct that that file will re-infect you if you encounter it again -- if it's sitting in your email on a remote server, or is on a USB key somewhere or something else, this will happen again. Proactive virus protection is your only defense.
posted by MarcieAlana at 7:23 PM on April 25, 2007


There are no viruses that cause harm on OS X. None. While I am sure it was irritating to have yahoo block your mail, that was the extent of the damage done to you. No files will be deleted on your mac. You could have, however, infected PC users to whom you emailed the documents.
posted by mzurer at 7:57 PM on April 25, 2007


Word macro virii (and excel virii) can only infect Office Documents.

It's technically a Word virus (due to scripting/macros), not an OSX virus. They cannot damage the OS.

Here is a specific set of instructions to remove it.
posted by filmgeek at 8:37 PM on April 25, 2007


mzurer writes "There are no viruses that cause harm on OS X. None."

Not right now, maybe. This isn't an excuse not to be careful about security. I keep thinking that an entire generation of Mac users are going to be hosed when and if a nasty virus does surface - because someone, somewhere, eventually, is going to come up with one, and very few Mac users have had to learn the hard way what happens when you implicitly trust your computer's security. There is absolutely no good reason not to have and use a virus scanner - even if it's only run once in a while as a preventative, or used to scan download files prior to opening rather than keeping it memory-resident.
posted by caution live frogs at 8:42 PM on April 25, 2007


Visual BASIC viruses are potentially cross-platform; in theory, they should even be capable of running under OpenOffice.org on a Linux box (no MS products involved at all). However, they really will be able to do much less damage to a Mac or Linux box than to the typical Windows box, simply because Macs and Linux boxes don't use computer administrator accounts for day-to-day work. It seems pretty unlikely to me that an interpreted language like VB would give a virus writer access to a privilege-escalation exploit they could use to burrow further in, but as Bruce Schneier has observed, attacks always get better with time.
posted by flabdablet at 9:55 PM on April 25, 2007


mzurer: "There are no viruses that cause harm on OS X. None."

So secunia is full of crap, then?
posted by Mr. Gunn at 10:01 PM on April 25, 2007


mzurer: "There are no viruses that cause harm on OS X. None."

So secunia is full of crap, then?

These two things are not mutually incompatible. The hole can exist, but be logistically impossible to exploit by a virus OR no one has bothered to exploit it.
posted by IronLizard at 11:01 PM on April 25, 2007


Mr. Gunn, I think you must have the wrong URL. There was no description of a virus that harms a computer running OS X.
posted by mzurer at 11:38 PM on April 25, 2007


That sounds like a challenge!
posted by Iax at 12:22 AM on April 26, 2007


Mr. Gunn, that link does not describe a virus (in the definition that it's a program that copies itself, by exploiting vulnerabilities and/or attaching itself to a program/document to propagate), but a vulnerability in a program that can lead to this program being exploited, which can lead to a compromise.

Another thing I don't buy when it comes to viruses on the Mac (or Linux for that matter): But the bad guys prefer to shoot for bigger and more numerous targets.

What is the goal of a virus writer? Exposure. Attention. Think of how much press a virus writer would get for an actual virus (in the Windows sense of the word) running on Mac/Linux. The "the user base is too small" argument is, imho, crap.

The first virus code for Vista was released in 2005, two years before it was even available to the customer. Why did this virus writer bother, when almost no one was using Vista? Because it got him (or her) attention, exposure. And because the security/privilege model of Windows is still broken, and fundamentally different from Unix-like systems, where it's much more difficult to gain system-wide privileges that can wreak havoc.

sorry for being off-topic
posted by lodev at 12:42 AM on April 26, 2007


When the I Love You worm was the last word in threats, you'd have been right about the attention and exposure thing. These days, with virus writing being largely a matter of gluing together the right scripts, it seems to me that the virus writer's main goal would have to be conscripting your PC into their zombie bot army; and writing for the OS with 90% workstation market share is definitely the best way to get a return on effort expended.

That said: systems with a Unix cultural legacy are always going to be harder to infect than systems with DOS cultural legacy. Rick Moen explains why.

Now, it's technically trivial to run a Windows XP box the same way as your typical Mac or Linux box (using a limited user account for day-to-day stuff), but because of the prevailing Windows culture, lots of apps break and need fiddling to fix when you do that; therefore, most people simply don't.

I do.

So do most of the people whose computers I fix, after I've cleaned them up and explained why it's a good thing to do.

In four years of fixing computers for people, I've been called back to fix a second massive Windows malware infestation only twice that I can remember; one was somebody who had given her kids the admin password to stop the pestering about busted games, and the other had bought a new computer and assumed that NotAn Antivirus was an adequate substitute for safe computing practices.

My tip is that this situation won't change in the Windows world until at least the version after Vista.

thinkingwoman: I bet if you changed the permissions on all your Word template files to -rw-r--r--, and changed the owner to root:root, you'd still be able to use them as templates but no virus could then infect them.
posted by flabdablet at 1:54 AM on April 26, 2007 [1 favorite]


Over the din: "There are no self-replicating viruses for Mac OS X. Only a Trojan or two have appeared for the system in over five years of its existence, and they required the user to think he was pirating software and to open the 10 kilobyte Microsoft Office installer."

On that note, Office macros are cross-platform, though most malicious instances are not programmed to take OS X into account. Just turn off scripting.
posted by stance at 5:56 AM on April 26, 2007


That's untrue. There have been two Mac OSX worms. The first spread through an iChat vulnerability and the second through a bluetooth vulnerability. Before OSX, there were more.
posted by IronLizard at 6:32 AM on April 26, 2007


Wasn't the iChat thing actually a Trojan, or a semi-Trojan, in that it sent a malicious file but required the user to open it manually in order to infect the machine?
posted by staggernation at 6:52 AM on April 26, 2007


Not according to Sophos.
posted by IronLizard at 9:14 AM on April 26, 2007


"But the bad guys prefer to shoot for bigger and more numerous targets."

Please stop spreading this FUD. The level of 'street cred' that an actual self propagating Mac OS X virus would get a hacker group is amazing. Mac OS X is a huge target simply because of its excellent security record.

Those "worms" still required people to actually download, save, double click, and run some sort of attachment. Their lifetime was extremely short lived, and there are only a handful of reports of any damage being done.

Of course Sophos is going to list them - they sell antivirus software. Same with Symantec.

"Before OSX, there were more." No, there weren't. The biggest one was probably the Autostart worm, which was easy to squish and did very little damage.

"Mac virus author admits coding difficulties".

An older, but interesting FAQ on Mac viruses. Very little has changed since 2000.

But you can keep spreading all the FUD you want.

I'm sure everyone will just start screaming "fanboi" but.. meh, whatever. I've been dealing with this crap for years and it's still the same.
posted by drstein at 11:17 AM on April 26, 2007 [1 favorite]


"Before OSX, there were more." No, there weren't. The biggest one was probably the Autostart worm, which was easy to squish and did very little damage.

When contradicting yourself like this, it's best to do so in separate comments. Here's one list.

No one is arguing that Mac's have a far better track record than windows here. The original question was whether or not Mac viruses existed. I stand by my statement that there were more than two Macintosh viruses (if you don't mind quoting me in context there, buddy) before OS X, Q.E.D.
posted by IronLizard at 11:51 AM on April 26, 2007


Not according to Sophos.

That very same article is actually where I got the idea that the iChat thing was more Trojan-like than virus-like. Their attempt to redefine "Trojan" and "worm," in order to preserve the title of their press release, seems sketchy at best.
posted by staggernation at 11:54 AM on April 26, 2007


The key thing to remember is that trojans generally don't replicate after being opened, the iChat worn/virus/trojan/hybrid/whatever does. One possible exception is a trojan that's actually a dropper. It's payload, however, would then be a virus with the original trojan remaining in place.
posted by IronLizard at 2:31 PM on April 26, 2007


IronLizard: Eh, whatever. You understood my point. I wasn't contradicting myself at all. Your list is just a rehash of one of the links I pasted.

None of the "Mac viruses" were auto-replicating/spreading anyway.
It's still a moot point.
posted by drstein at 10:19 AM on April 27, 2007


« Older Bookkeeping rates?   |   Those who can't paint, manage. Newer »
This thread is closed to new comments.