************************************************************************** Security Bulletin 9415 DISA Defense Communications System May 6, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the NASA ! ! Automated Systems Incident Response Capility team and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + The following bulletin was released to the NASA community by NASIRC: NASIRC BULLETIN #94-15 May 5, 1994 Macintosh Virus Found on American Vacuum Society CD-ROM =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification that a Macintosh virus has been found on the CD-ROM "Journal of Vacuum Science and Technology A&B" (Second Series Volume 12, 1994)". The CD is "An official journal of the American Vacuum Society Published for the Society by the American Institute of Physics." SYSTEMS AFFECTED: Macintosh systems running System 6.x or 7.x; Power Macintosh systems may also be vulnerable. Although this CD is also readable by DOS and Windows systems, they are NOT affected by this problem. THE PROBLEM: A Macintosh virus has been discovered in the file called "README." on in the top-level directory of the CD-ROM named above. All other Mac files on the disc, including README.DOC, are safe; the only infected file is "README." Unfortunately, users must access this file to read or print out the user manual for this CD. The virus, apparently introduced by mistake, is present on all known copies of the CD. Look for the following titles imprinted on the disc: Main title (large, bold type): "JVST A&B Vol. 12 1Q94" Subtitle (small): "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)" The virus has been identified by SAM Virus Clinic as the old nVir-A strain, which can infect the system file and applications. The virus will lie dormant until an infected file is opened a certain number of times (the virus counter decrements differently for different file types), at which point it may cause printing errors, system crashes, and other problems. Note that nVir-A is one of the oldest Macintosh viruses, dating back to 1987. THE FIX: Unfortunately, there is no way to "fix" the CD-ROM itself. NASIRC recommends that you do NOT run the "README." file directly from the CD-ROM; copy it to a regular disk and clean it with a utility such as Disinfectant before double-clicking it. If you have already run "README.", your Macintosh is probably already infected with the virus. You must run an anti-viral utility (from a *locked* floppy) to repair any infected files on your hard drive, and be sure to also disinfect *all* floppy disks you have used since the first time "README." was opened. All current versions of Macintosh anti-viral programs can recognize & combat the nVir-A virus if your Macintosh becomes infected. You can acquire NASIRC's "MacDefender" package (which includes Disinfectant) as follows: ftp://nasirc.nasa.gov/~toolkits/Mac/macdefender17.sea -- binary - or - ftp://nasirc.nasa.gov/~toolkits/Mac/macdefender17.hqx -- ascii NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin or the MacDefender package, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Karyn Pichnarczyk of the Department of Energy Computer Incident Advisory Capability (CIAC) for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! NASIRC bulletins ~/information ! various informational files ~/toolkits ! patches & automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Many users outside of the DOD computing communities receive DDN Security bulletins. If you are not part of DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.