************************************************************************** Security Bulletin 9210 DISA Defense Communications System March 19, 1992 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9210). ************************************************************************** *** Macintosh INIT 1984 Virus Discovered *** Virus: INIT 1984 Damage: high Spread: minimal Systems affected: Apple Macintosh computers. All types. A new virus, which has been designated "INIT 1984", has been discovered on Apple Macintosh computer systems. This virus is designed to trigger if an infected system is booted on any Friday the 13th in 1991 or later years. Damage from the virus includes changing the names and attributes of a large number of folders and files to random strings and the actual deletion of a small percentage (< 2%) of files. The virus infects only system extensions of type "INIT" (also known as "startup documents"). It does not infect the System file, desktop files, control panel files, applications, or document files. Because INIT files are shared less frequently than are applications, and because of the structure of the virus code, the INIT 1984 virus does not spread as rapidly as most other viruses. As of the date of this announcement (3/19/92), we have only a few reported sightings of this virus, including one from a site in Europe and one from a site in the USA. In both cases, the virus caused significant damage when infected Macintoshes were restarted on Friday, 3/13/92. Because only a few reports of damage were received, we have reason to believe that the virus is not widespread. However, it is conceivable that this virus might have affected Macintosh systems on Friday 9/13/91 or Friday 12/13/91 without being recognized as the cause of the damage. If you think you may have been a victim of this virus in 1991, please contact me via e-mail at spaf@cs.purdue.edu. The current versions of Gatekeeper and SAM Intercept (in advanced and custom mode) are effective against this virus. Either program should generate an alert if the virus is present and attempts to spread to other files. The virus affects all types of Macintosh computers. It spreads and attacks under both System 6 and System 7. On very old Macintoshes (those with the 64K ROMs), the virus will cause crashes at boot time. Authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run an updated version of at least one of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 2.7 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: (expected) 3/18/92 Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.2.5 Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac When available: (expected) 3/20/92 Tool: Rival Status: Commercial software Revision to be released: INIT 1984 Vaccine Where to find it: AppleLink, America Online, Internet, Compuserve. When available: Immediately. Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.0.7 Where to find: CompuServe, America Online, Applelink, Symantec's Bulletin Board @ 408-973-9598 When available: Immediately. Version 3.0.7 of the Virus Definitions file are also availble. Tool: Virex INIT Status: Commercial software Revision to be released: 3.7 Where to find: Microcom, Inc (919) 490-1277 When available: Immediately. Comments: Virex 3.7 will detect and repair the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to be able to detect INIT-1984. This information is also available on Microcom's BBS. (919)419-1602, and is given below. Virus Name: INIT 1984 Guide Number: 5275840 Virus Code: 0049 4E49 5410 07C0 96 3008 1490 7710 002F 2C 3C49 4E49 5400 0300 1E 4AA9 AB55 4F81 8090 9A Tool: Virus Detective Status: Shareware Revision to be released: 5.0.3 Where to find: Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string. When available: Immediately. Comments: search string is Resource INIT & Size<4500 & WData 494E#EA994*4954#8A9AB ; For finding INIT1984 The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University as the author of this document. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************