April 10, 2004 Information Security Advisory

This advisory concerns Mac OS X users. Intego (an antivirus vendor) discovered a new worm, 
called MP3Concept. To find if your Mac OS X computer is infected, do a Finder-based search 
(Command-F) and set two criterion: 

Name contains: place a file extension here; .mp3, .jpeg, .wmv, etc. 
Kind: application 

The virus exploits a MacOS vulnerability which enables an executable (application) file to be
named as a data file, eventhough it is a program.

The danger of this type of virus is that its payload could launch any type of attack on the
computer. As the security vendor Intego notes in its April 8, 2004 press release:

"This Trojan horse has the potential to do any of the following:
- Delete all of a user's personal files
- Send an e-mail message containing a copy of itself to other users
- Infect other MP3, JPEG, GIF or QuickTime files"

Yesterday - April 9, 2004 - Symantec (Norton Antivirus) also released a virus 
definition available from the Symantec.com website. If you own the Mac OS version of Norton
Antivirus, we suggest you update your virus definitions with the LiveUpdate component of
your Norton software.

Again, please note that this particular instance of the virus is not dangerous, but could indicate 
a new trend of attacks against the Mac OS, which could potentially infect any mp3 or quicktime file.

MP3Concept (MP3Virus.Gen) details obtained from the Symantec website:

The MP3Concept file will appear to be an ordinary mp3 file due to the mp3 icon. 
When the file is executed by double clicking on the icon it does the following:
Display a message box with the text “Yep, this is an application (So what is your 
iTunes playing right now?)”. 

Launch iTunes and play the mp3 file which is the sound of a man laughing.

When the file is loaded directly by iTunes, by using the "Add to Library..." menu command, 
it gets registered in the library as the song "Wild Laugh".

Playing the song "Wild Laugh", only plays the music file of the man laughing and does not 
display the message box. 

Recommendation: verify that your antivirus vendor has released an update for this virus, update your
antivirus signatures and run a full scan of your computer.

Happy safe computing!

Frederic Martin
www.workingarts.com

PS1: If you want to be removed from this computer security advisory mailing list, please 
reply with "remove" in the subject of the message. To review archived security warnings, 
please go to http://www.workingarts.com/infosecarchives.html

PS2: Please forward this email to your friends and colleagues, who can register to receive
these alerts at http://www.workingarts.com/specialoffer.html