I've been a Windows user (and Mac hater) for most of my life (I had a Linux phase when I was about 13 years old, but my current OS of choice is Windows 7). In recent years, a couple of iMacs (and a lemon of an eMac) have fallen into my hands and I've been discovering the wonderful world of MacOS9, much to my preteen chagrin. I've been having a ball installing old software and even making a version of the site accessible by those old macs! So, imagine my disappointment when my beloved graphite iMac G3 running MacOS 9.2 fell ill, throwing up "error 127" on boot.
For some reason I was always under the foolish impression that Macs couldn't get viruses. I guess it was a marketing tactic after all! Funnily enough, computer viruses happen to be a special interest of mine. Around the same time I was in my Linux phase, I discovered the danooct1 channel on YouTube and instantly became fascinated with the world of computer viruses. I was so obsessed with computer viruses that I even decided to name my solo music project after one! I also became obsessed with retro computing and even had my own crappy compaq tower with the hard drive plucked out in which I would boot DOS from cd and play games. So, in short, learning that I had contracted a virus on my beloved iMac was equal parts enthralling and terrifying.
I inserted the Software Install boot disc and ran Disk First Aid from there. I figured that my hard disk could have been damaged by some recent file deletion that had taken place (the system also had MacOSX installed on it, which I decided I wanted no part of and opted to get rid of it for extra disk space.) The utility ran and made some repairs, so I crossed my fingers and toes hoping that would fix the problem. Nope! Error 127. My heart sank. I know it's just a silly computer, but I had been having so much fun with it that the idea of losing it really got to me. So, I investigated further. Luckily, an apple forum post clued me into the fact that I might have a virus. I was researching the "error 127" code I was recieving on startup (which prevented me from doing anything past boot) and the OP noted he had a mysterious extension show up in his system files entitled " 666". Another user informed him that he had the SevenDust virus. I checked my extensions, and lo and behold, the very same extension was on my computer!
I had installed iTunes the night before, so I assumed that it may have been infected. I booted up my iMac with the system install disc, deleted the iTunes files and the mysterious extension, and figured that would do the trick. So, once again, imagine my disappointment when I rebooted the computer to see the same error! More frantic research ensued, which lead me to this helpful forum post. The user by the name of Lunchbox details a process in which to get rid of this satanic yet docile virus.
I had a 666 infection a while back, here's how it works and how to fix it:
Sevendust is a "polymorphic" virus, (it is also the only one of this type on the macos) meaning it replicates by itself by installing into other apps. If you look at your apps in resedit there will probally be a strange new "INIT" " resosource- this is sevendust. Whenever a program starts up sevendust installs into the program from the system folder. If an infected program notices sevendust isn't there, it installs into the system folder- you see the problem here (note that a program can only be infected/install sevendust when it starts up, i think).
You're on the right track to getting rid of sevendust! Open it in resedit- kill the init resource and lock it down in resedit. This will effectively stop the spread of sevendust- but it won't get rid of it from your infected apps. To get rid of all of sevendust, get Virex. It worked for me and did a great job. You can safely delete the extention after it repairs the apps. NOTE: DO NOT RUN VIREX BEFORE YOU REMOVE THE INIT AND LOCK DOWN THE EXTENTION! Virex will become infected and won't let itself run (a neat feature that renders it useless).
This all sounds a bit daunting if you're not a geek, and I felt the same way. However, more research lead me to a french blog post that provided all the answers I needed (and an even easier way out!) A utility by the name of Agax was created to neutralize SevenDust as well as a few other viruses. You can find the download at the bottom of this page.
JUST SHUT UP ALREADY, HOW DO I SAVE MY MAC?
Well, I'll tell ya how! You're going to want to boot your PC from a CD burned with either a iMac Software Install image or a iMac Software Restore image. (For other models of Macs, the procedure will be similar, but you will need to find boot discs that are compatible with your PC. These can be found on Macintosh Garden or Macintosh Repository.) These will need to be burned to a CD that you insert into your iMac on startup. When you insert your burned CD/DVD, restart the computer and hold down the C key while your computer boots up. If all goes well, your Mac should boot from the CD and you will be able to see all your files. Go into your hard drive system folder and look for the Extensions folder. If you're infected with SevenDust, you will find the " 666" extension somewhere inside the folder! (Later variants of the virus can drop an extension under different names.)
Now before you go running any programs, please realize that ANY program you run after the virus has infected your system will be infected with SevenDust! Try to run as little programs as possible at this point to avoid further infection.
This is where things get pretty tricky. You're going to have to find some way to get files from a clean PC onto your Mac. I attempted to use an FTP server to get the files onto my iMac, but I'm not sure if you can connect to the internet when you're booted from the install disc (it didn't work for me!) Sadly, inserting flash drives with the files didn't work at all, as my iMac wasn't able to recognize them and demanded that I either formatted them or eject them. Same thing happened with CD's I burnt on my Windows PC. I was just about to lose hope when I remembered my eMac, which despite its blown caps and broken fan, is able to run for a good while before freezing. I was able to transfer the files from a flash drive to the eMac, and then I inserted a CD into it and burned the files from there. It worked! So, in my case, I had to use another mac, a USB DVD drive, a flash drive, and a blank CD to get the files needed onto my iMac. It's not ideal, but all other avenues had been exhausted. The things I do for obsolete technology!
In your case, things might be easier. Just understand that you cannot eject the bootable install disk when its running and insert another CD - it just doesn't work (again, at least it didn't for me!) Once you've gotten these files onto your Mac, the real fun begins. Extract Agax onto your desktop, select the Agax file (FOR THE LOVE OF GOD DON'T RUN IT YET!), open the "File" menu from the top toolbar, select "Get Info", "General Information", and check the "Locked" box at the bottom left of the window. The reason you have to do this is because if the file is not locked, SevenDust will write itself into Agax, rendering it completely useless. You will know this has happened if on startup Agax complains about being tampered with and won't start. Delete the files and install again if this happens, and make sure ta lock it this time, ya dope!
So, you locked the file? Good. Now you can run the Agax program. Select the "Repair" menu from the toolbar and select your hard drive (or optionally, all drives, a certain file, etc.) At this point Agax will find all infected files and repair them. It will report to you which files have been infected in the log window. After this you should move the " 666" extension into your trash and empty the trash. From the log you may be able to determine which program you installed was the one that infected your PC. In my case, literally every program I've ever run had been infected! This clued me into the fact that it had to be one of the first programs I ever ran.
So, you locked the file? Good. Now you can run the Agax program. Select the "Repair" menu from the toolbar and select your hard drive (or optionally, all drives, a certain file, etc.) At this point Agax will find all infected files and repair them. It will report to you which files have been infected in the log window. After this you should move the " 666" extension into your trash and empty the trash. From the log you may be able to determine which program you installed was the one that infected your PC. In my case, literally every program I've ever run had been infected! This clued me into the fact that it had to be one of the first programs I ever ran.
At this point you'll want to mount the Virex disc and do a scan. If it comes back with no infected files then you're ready to move to the next step! If it does, there may be more work to do. Make sure to delete or replace the offending files. In the case of programs like StuffIt or other preinstalled utilities that have been infected, you can find installers and replacement on both Software Install and Restore discs. According to a commenter on the French blog post, the reason the "error 127" happens is because Finder is damaged. Replacing the finder should do the trick, but I reccomend replacing all the pack-in software by way of the Software Restore disc. This way, you can keep all your personal files while restoring the MacOS 9.x components to their factory settings. This final step should fix the "error 127" problem at last! Now you're exorcised of the nasty daemon that is SevenDust! Once your Virex scan comes back clean it's a good idea to install it to prevent this from happening in the future. Virex will detect files infected with SevenDust and prevent them from running.
In my case, I can only deduce the cause of the virus to be a game I installed by the name of The Seven Colors: Legend of PSY*S City. The "TinyPianist 1.0" program seemed to be the culprit. I can't remember which source I installed this game from, but I'm almost positive the virus came from this game. Luckily it was the A variant, which isn't as destructive as some of the later variants (however it eventually caused the dreaded "error 127"). So, my message to all you retro-enthusiasts out there:
It's not impossible to contract a virus even in the modern day. Some files shared on the web are still infected and can even run right under your nose for months, as it did in my case!
PRACTICE SAFE FILESHARING!
It's not impossible to contract a virus even in the modern day. Some files shared on the web are still infected and can even run right under your nose for months, as it did in my case!
