Re: Can iTunes run AppleScript as well as Trojan code?
Re: Can iTunes run AppleScript as well as Trojan code?
- Subject: Re: Can iTunes run AppleScript as well as Trojan code?
- From: Mark Douma <email@hidden>
- Date: Tue, 13 Apr 2004 03:25:37 -0400
On Apr 09, 2004, at 12:52 AM, Graff wrote:
The part about it opening in iTunes and acting like an MP3 looks to be
a side affect of the file having proper ID3 tags. According to what
I've read this type of trojan can't do anything at all to iTunes, it's
when you try to open the file directly through the Finder or some
other launcher program that the trojan comes into effect. The ID3
tags are just there to further throw you off.
While I could be wrong, in my understanding, the ID3 tags are there to
contain or "wrap around" the actual CFM PPC executable code, which
(must?/usually) resides in the data fork of of a single-file dual-fork
CFM type application. The resource fork of the application contains the
'cfrg' (Code Fragment Directory) resource which contains a pointer to
the where the executable code is stored. Ordinarily, this points to the
very beginning of the data fork. In the case of this "trojan", however,
you can see in this image:
http://homepage.mac.com/mdouma46/virus.gif
that the PPC code is simply shifted 64 bytes forward, and the 'cfrg'
resource is changed to reflect this. Since ID3 tags can basically
consist of anything, that's a way for the PPC code to exist in the data
fork, yet for the file to be a "legit" MP3 file and play correctly in
iTunes.
------------------------------------------------------------------------
---
Mark Douma
Grand Rapids, MI, USA
email@hidden
http://homepage.mac.com/mdouma46/
------------------------------------------------------------------------
---
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.