************************************************************************** Security Bulletin 9221 DISA Defense Communications System August 14, 1992 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9221). ************************************************************************** Virus Alert: "ALIENS 4" On Saturday, August 8 1992, what is believed to be a new "polymorhpic" or "adaptive" virus strain was detected on a Macintosh IIci running System 7 at the Space Environment Lab in Boulder, Colorado. The NOAA/NIST staff working on the problem have been unable to identify this particular strain, so have given it the name "Aliens 4" because: (1) It's fast (2) It mutates (3) It likes to travel (4) Every time you think you've eradicated it, it pops up somewhere else. It is not known at this time whether the virus came in on an infected floppy or via Internet or DECnet. However, there is a strong suspicion that the virus can travel via networks. We also suspect that this virus is one of the new viral strains that can "mutate" into different forms, making it extremely dangerous because it is difficult (if not impossible) to trace and very difficult to eradicate. The investigation continues, but this is what has been found out so far: (1) It appears to infect System 7 Mac's easier than System 6.07 systems. (2) It appears as seemingly random system malfunctions (disk drives can't read disks, printer problems, uncommon desktop displays). (3) It does NOT appear to destroy files. (4) Symantec (and others) seem capable of detecting it, but unable to eradicate it completely. (5) It was first reported by anti-viral software as the nVIR A strain, then the MBDF A strain, and so on. For this reason, it has been identified as a polymorphic or adaptive filter. (6) The only 100% effective solution to date seems to be the "hard" re-formatting of infected disks. The point-of-contact for information about the ALIENS 4 virus is: Mr. Dave Bouwer dbouwer@selvax.sel.bldrdoc.gov (303) 497-3899 If more concrete information on this virus becomes available, interested parties will be notified. ****************************************************************************** ** ** ** The DDN Security Coordination Center (SCC) would like to thank ** ** Mr. Dave Bouwer for bringing this to our attention. ** ** ** ****************************************************************************** **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************