CorelDRAW Mac CDs carried AutoStart worm

In October 1998, Corel recalled the second pressing of CorelDRAW 8.0 for Mac OS. Virus Bulletin reported that the affected CD-ROMs carried the D strain of AutoStart 9805 and that Corel said it had retrieved 95% of the infected discs during the first week of October.

The delivery path was plain physical distribution. A user mounted a trusted Corel CD-ROM on a PowerPC Mac with QuickTime AutoStart enabled. The operating system could then launch an application from the volume before the user made a security decision.

AutoStart 9805 lived in removable media and the classic Mac OS Extensions path. Earlier variants used an invisible DB file and a hidden Desktop Print Spooler component, then copied themselves to other mounted HFS or HFS+ volumes. The D strain was less destructive than the original line, but the carrier was official product media.

Corel responded by recalling the affected batch and issuing public guidance. The incident belongs with the older physical-media failures: the package was authentic, the label was trusted, and the bytes on the disc were not clean.

Cause

Contaminated Physical Media

Transitive

No

• Virus Bulletin November 1998virusbulletin.com
• Corel infected CDs recalledtheregister.com
• "Autostart" Worm Breaks Mac Malware Silencetidbits.com
• Virus Bulletin July 1998virusbulletin.com