************************************************************************** Security Bulletin 9414 DISA Defense Communications System May 6, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the NASA ! ! Automated Systems Incident Response Capility team and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + The following bulletin was released to the NASA community by NASIRC: NASIRC BULLETIN #94-17 May 5, 1994 Dangerous New DOS Trojan ("CD-IT.ZIP") Found =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received information about a potential "trojan horse" program being distributed on the Internet as "CD-IT.ZIP" SYSTEMS AFFECTED: This trojan apparently only runs on "IBM compatible" systems; DOS is definitely susceptible, and Windows might be. THE PROBLEM: According to information posted in several Clarinet newsgroups, a new and dangerous trojan is showing up at publicly-accessible Internet sites. This trojan, called CD-IT.ZIP, supposedly gives your PC full read/write capabilities on its CD-ROM drive. The CD-IT documentation states the program was authored by Joseph S. Shiner, couriered by HDA and copyrighted by Chinon Products. The problem came to light when a user who had downloaded the file from a FidoNet server in Baltimore, MD, realized that it is IMPOSSIBLE to make a standard CD-ROM drive writable with a small software utility and reported it to Chinon. Other suspicious indicators were obscenities in the documentation and a line indicating that HDA stands for "Haven't Decided a Name Yet." In a statement to Newsbytes, Chinon America stated it has no division as named in the documentation. Chinon engineers also report that if CD-IT is actually run, it locks up the computer; it will then remain in memory (even after reboot) and will corrupt critical system files on the hard disk as well as any available network volumes. Chinon's R&D Director stated that he has not heard of any systems that have (yet) been affected by this trojan. THE FIX: Although there is no real "fix" for a trojan or virus, there are two important points NASIRC wishes to make: 1) DO NOT DOWNLOAD THE FILE "CD-IT.ZIP" FROM ANY ON-LINE ARCHIVES! 2) DO NOT RUN THE "CD-IT" UTILITY! Once a system is infected, the only way to eradicate the virus is to perform a high-level reformat of the hard drive! To quote the Clarinet post, "Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT. NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Hank Middleton of NASA's Goddard Space Flight Center for notifying NASIRC of this situation. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Many users outside of the DOD computing communities receive DDN Security bulletins. If you are not part of DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.