************************************************************************** Security Bulletin 9206 DISA Defense Communications System February 24, 1992 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g., scc/ddn-security-9206). ************************************************************************** New Macintosh Virus Discovered Virus: MBDF A Damage: minimal, but see below Spread: may be significant Systems affected: Apple Macintosh computers. The virus spreads on all types of systems except MacPlus systems and (perhaps) SE systems; however, it may be present on MacPlus and SE systems and not spread. A new virus, currently named "MBDF A", has been discovered on Apple Macintosh computer systems. The virus does not intentionally cause damage, but it does spread widely. Instances of the virus have been found at a number of sites worldwide. The virus has been discovered in games at several archive sites. At those sites, the games "Obnoxious Tetris" and "Ten Tile Puzzle" are definitely infected. It is possible that other files may be infected at some archive sites. You should be especially suspicious of any games named "tetris-rotating" or "Tetricycle". The virus does not necessarily exhibit any symptoms on infected systems. Some abnormal behavior has been reported that may possibly be traced to the virus. These include Mac crashes and malfunctions in various programs. Some specific symptoms include: * Infected Claris applications will indicate that they have been altered and will refuse to run. * The "BeHierarchic" shareware program ceases to work correctly. * Some programs will crash if something in the menu bar is selected with the mouse. The virus works under both System 6 and System 7. If you have downloaded any files from an archive site recently, especially games, please do not use them or distribute copies of them to anyone else until you are certain they are not infected. Furthermore, we very strongly recommend that you DO NOT get any files from the archive sites until the moderators at those sites have had an opportunity to remove any infected files. Currently, the virus is not found by (or evades) most anti-virus tools. Authors of all the major Macintosh anti-virus tools -- including commerical products such as SAM, Rival and Virex, and shareware and freeware programs such as Disinfectant, Gatekeeper, and Virus Detective -- have been informed of this new virus. All are planning to release updates to their software within the next few days. These releases will be through the normal distribution channels. Specific information on some of these products follows: Tool: Disinfectant Revision to be released: 2.6 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: (expected) late 2/21/92 Tool: Rival Revision to be released: 1.1.10 Where to find it: AppleLink, America Online, Internet, Compuserve. When available: 2/21/92 Other info: The only change with 1.1.9 is the ability to detect this vaccine (MBDF A). Tool: Virex INIT and application Revision to be released: 3.6 (for both products) Where to find: Microcom, Inc (919) 490-1277 When available: User definable virus string available 2/21/92 3.6 versions available 2/24/92 Comments: Virex 3.6 (app and INIT) will detect and repair the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information on how to update prior versions so that they will be able to detect MBDF. This information is also available on Microcom's BBS. (919)419-1602. Tool: Virus Detective Revision to be released: 5.0.1 Where to find: Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string. When available: now (2/20/92) Comments: search string is "Resource MBDF & ID=0 & WData A9ABA146*4446#4A9A0" Special thanks to the people at Claris who included self-check code in their Macintosh software products. Their foresight resulted in an early detection of the virus and has thus helped the entire Mac community. We strongly encourage other vendors to consider doing the same with their products. The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University as the author of this document. **************************************************************************** The point of contact for MILNET security-related incidents is the Security Coordination Center (SCC). E-mail address: SCC@NIC.DDN.MIL Telephone: 1-(800)-365-3642 NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, Monday through Friday except on federal holidays. ****************************************************************************