ARCHIVED: For Mac OS, what is the AutoStart 9805 worm, and what can I do to protect my computer from it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Note: The AutoStart 9805 worm variants will damage only PowerPC systems. Also, an infection cannot result from mounting a network volume.

AutoStart 9805, also known as the Hong Kong Virus, is a worm that first surfaced in early May 1998. Since then, a number of variants have also appeared. The worm initially attacks systems using the CD-ROM AutoPlay feature of QuickTime 2.5+, copying itself to a computer when an infected volume is mounted. It will then begin replicating itself to other volumes and start destroying files. The more obvious symptoms of an AutoStart Worm infection are unexplained periods of network and disk activity that occur at predictable intervals, unrecoverably damaged files, and an application (usually called DB, BD, DELDB, Desktop Print Spooler, Desktop Printr Spooler, or DELDesktop Print Spooler) that launches on startup and then runs as a background-only process. When the startup volume is first infected, it may cause a restart.

To defend yourself from infection, disable QuickTime's CD-ROM AutoPlay feature. To do this, open your QuickTimeTM Settings control panel and in the AutoPlay section, turn off Enable CD-ROM AutoPlay. This is a preventive measure that will not help you if your computer has already been infected. If you suspect your computer has been infected or need to use the CD-ROM AutoPlay feature, you should get an updated copy of a virus protection program such as Norton AntiVirus, VirusScan, or Virex.

If you are a little more Mac OS savvy, you can remove the worm yourself. Look in the top level of your hard disk for an invisible application called DB, BD, or DELDB and remove it.

Note: Do not trash files like Desktop DB or Desktop Printers DB!

Also, check in your Extensions folder for another invisible application called Desktop Print Spooler, Desktop Printr Spooler, or DELDesktop Print Spooler.

Note: Do not confuse this with the Desktop Printer Spooler extension, which should be visible.

You should check all of your hard disks, partitions, floppies, and removables, as they could also be infected.

This is document aghx in the Knowledge Base.
Last modified on 2018-01-18 12:07:56.