In the past couple of stories on this site, I’ve talked about Opener, the virus that isn’t. First, ZDnet (and some other press) can’t wait to classify the script as a virus, even before the facts are known. Then during last week’s Your Mac Life broadcast, Gregg Mastoras, a representative from Sophos, told me in as many words that Opener has no way to spread itself.
Today Apple issued it’s official comment, and Sophos, in response, directly contradicted what they told me on-air last Wednesday.
According to this article at ZDnet (the same ZDnet that got the story wrong to begin with), Apple has issued the following statement concerning Opener:
“Apple has just released the following statement and will not comment beyond this: ‘Opener is not a virus, Trojan horse, or worm. It does not propagate itself across a network, through email, or over the Web. Opener can only be installed by someone who already has access to your system and provides proper administrator authentication. Apple advises users to only install software from vendors and Web sites that they know and trust.”
This pretty closely matches with my assessment of Opener. I’ve seen the code, although admittedly an older version dated late March 2004, and I didn’t see any way for it to reproduce. I can’t be sure what I saw was the complete, up-to-date script, however.
Sophos, at the same time, continues to insist that Opener is a worm. As I stated before, Gregg Mastoras of Sophos told Shawn and I on-air last week that there was no way for Opener to reproduce itself. Yet this quote appears in the ZDnet story:
“I know there has been a lot of debate about this,” said Graham Cluley, senior technology consultant for Sophos. “We class it as a worm. It’s not going to spread very fast, but it does try to copy itself from Apple Mac drive to Apple Mac drive, and that still makes it a worm. If you saw something similar in the PC world, you would call it a worm.”
So which is it? It spreads (reproduces itself) or not? Not surprisingly, the company that sells anti-virus software classifies it as a worm. According to Mr. Cluley, the script copies itself from drive to drive on the local Mac. If that’s true, merely copying the script, even to networked drives, doesn’t activate it. For a fairly simple shell script, this one important point seems to be a tough one to hash out. Sophos needs to get it’s story straight before they tell two different media outlets contradicting information about the behavior of this script.
So I appeal to my readers: Does Opener spread itself? If so, how? Please provide appropriate code or links that clearly demonstrate how it spreads.
My .Mac Web Gallery
Loading ...
Recent Comments