**************************************************************************
Security Bulletin 9416                  DISA Defense Communications System
May 10, 1994               Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

  The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
  Coordination Center) under DISA contract as a means of communicating
  information on network and host security exposures, fixes, and concerns
  to security and management personnel at DDN facilities.  Back issues may
  be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
  using login="anonymous" and password="guest".  The bulletin pathname is
  scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
  and "nn" is a bulletin number, e.g. scc/ddn-security-9302).
**************************************************************************

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Automated    !
!     Systems Security Incident Support Team (ASSIST) and is being      !
!     relayed unedited via the Defense Information Systems Agency's     !
!     Security Coordination Center  distribution  system  as a  means   !
!     of providing  DDN subscribers with useful security information.   !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
  Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  94-13
 
           Release date: 6 May 1994, 2:30 PM EDT
 
SUBJECT: nVir A Virus Found on CD-ROM

SUMMARY: The Macintosh nVir A virus has been found in the "README."
file on the Journal of the American Vacuum Society CD-ROM Vol. 12
1Q94.  nVir has no affect on the DOS files included on the disk,
but all versions of the Macintosh operating system are vulnerable
to the virus.

BACKGROUND: The CD-ROM containing the virus is included as part of
the American Vacuum Society's journal, which is widely distributed
in the scientific community.  The Journal of Vacuum Science & 
Technology A&B (Second Series Volume 12, 1994) was apparently
inadvertently infected with the nVir A virus before production of
the CD-ROM.  All known copies of this CD-ROM distribution are
infected with this Macintosh virus.  The CD-ROM can be identified
by the following titles printed on the disk:
(in large bold type) "JVST A&B Vol. 12 1Q94"
(subtitle in small type) "JVST-A Vol 12(1) and 12(2)  JVST-B, 
                          Vol 12(1)"
The infected file is "README." in the root directory of the 
CD-ROM, which is a DOCMaker Stand-Alone document reader 
application. This file is the one referred to in the instruction
manual to run for viewing or printing the user manual, however
doing so will infect the system file of your Macintosh.  This disk
can also be read via a PC using DOS or Windows, but those systems
will not be affected by this Macintosh specific virus.  

The nVir A virus is a virus that at first only replicates, but
after a certain amount of executions it has a small chance of
saying "Don't Panic" if MacinTalk is installed, or having the
computer beep if MacinTalk is not installed.  It is not an
intentionally destructive virus, but does damage the system and
applications during the infection process.  Infected systems
occasionally crash, and printing is often delayed or corrupted.

IMPACT: nVir A is a virus that at first only replicates, but
after a certain amount of executions it has a small chance of
saying "Don't Panic" if MacinTalk is installed, or having the
computer beep if MacinTalk is not installed.  It is not an 
intentionally destructive virus, but does damage the system and 
applications during the infection process.  Infected systems
occasionally crash, and printing is often delayed or corrupted.

RECOMMENDED SOLUTION: If you have received this CD-ROM,
immediately mark it as containing a Macintosh computer virus,
and do not run the "README." file in the root directory on any
Macintosh system.  If you are using this disk on a PC system
the PC files on this disk are not infected.  If you have 
already run this infected file on a Macintosh, and scan your 
hard disk for infected files with a Macintosh anti-virus program.
If your hard disk has been infected, you must scan every floppy
disk that has been in your system since the infection occurred.
Replace all the infected files that you can, and repair those
that you cannot replace.  Even though the CD-ROM contains an
infected file, the "README." file can only infect your system if
it is executed. The other files on the disk can still be installed
and used without causing an infection. To install the Adobe 
Acrobat document reader on your Macintosh, run the Installer 
program in the JVST_94:install:mac:reader folder.  To install the
Wordkeeper search utility, run the JVST_INSTALL;1 program in the 
JVST_94:install:mac:wordkeep directory.  You can also view the 
README.DOC file, which contains the instructions for using the 
PC and Windows versions of the reader, using a word processor.
If you must access the data in the infected "README." file,
copy the file to a floppy disk and repair it using an anti-virus 
utility and then scan it again to insure it has been repaired.
Scan the repaired file with an anti-virus utility and if it is
not infected you may then run it to view the document.  The
"README." file that is on the CD-ROM cannot be repaired due to
the write-only nature of the CD-ROM.  The publisher has sent a 
letter to all known recipients of this CD-ROM distribution 
explaining this problem.

THE SECURITY IMPLICATIONS OF THIS MATTER GO BEYOND THE SPECIFIC
VIRUS INCIDENT MENTIONED IN THIS BULLETIN.  CD-ROM'S ARE NOT
IMMUNE TO VIRUS INFECTION, AND ALL EXECUTABLE FILES CONTAINED ON
CD-ROM MEDIA SHOULD BE SCANNED WITH THE MOST CURRENT RELEASE OF AN
ANTI-VIRUS UTILITY BEFORE ANY OF THE FILES ARE EXECUTED OR
COPIED.

ASSIST would like to thank the Department of Energy CIAC for
information contained in this bulletin.

ASSIST is an element of the Defense Information Systems Agency 
(DISA), Center for Information Systems Security (CISS), that 
provides service to the entire DoD community.  If you are a 
constituent of the DoD and have any questions about ASSIST or
computer security issues, contact ASSIST using one of the methods
listed below.  If your organization/institution is non-DoD,
contact your Forum of Incident Response and Security Teams
(FIRST) representative.  You can obtain a list of FIRST member
organizations and their constituencies by sending email to
docserver@first.org with an empty "subject" line and a message body
containing the line "send first-contacts".

ASSIST INFORMATION RESOURCES: If you would like to be included  in
the distribution list for these bulletins, send your Milnet
(Internet) e-mail address to assist-request@assist.ims.disa.mil.
Back issues of ASSIST bulletins, and other security related  
information, are available from the ASSIST BBS at 703-756-7993/
1154 DSN 289, and through anonymous FTP from assist.ims.disa.mil
(IP address 137.130.234.30).  Note: assist.ims.disa.mil will only
accept anonymous FTP connections from Milnet addresses that are
registered with the NIC or DNS.
 
ASSIST contact information: 
PHONE: 703-756-7974, DSN 289, duty hours are 06:00 to 22:30 EST  
Monday through Friday.  During off duty hours, weekends, and  
holidays, ASSIST can be reached via pager at 800-SKY-PAGE  
(800-759-7243) PIN 2133937.  Your page will be answered within 30
minutes, however if a quicker response is required, prefix
your phone number with "999".  
ELECTRONIC MAIL: Send to assist@assist.ims.disa.mil. 
ASSIST BBS: Leave a message for the "sysop". 
  
Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key   
encryption tool, to digitally sign all bulletins that are   
distributed through e-mail.  The section of seemingly random   
characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and   
"BEGIN ASSIST BULLETIN" contains machine-readable digital   
signature information generated by PEM, not corrupted data.     PEM
software for UNIX systems is available from Trusted Information
Systems (TIS) at no cost, and can be obtained via anonymous FTP
from ftp.tis.com (IP 192.94.214.100).  Note:   The TIS software is
just one of several implementations of PEM currently available and
additional versions are likely to be offered from other
sources in the near future. 
  
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for adverstising or product endorsement
purposes. 


****************************************************************************
*                                                                          *
*    The point of contact for MILNET security-related incidents is the     *
*    Security Coordination Center (SCC).                                   *
*                                                                          *
*               E-mail address: SCC@NIC.DDN.MIL                            *
*                                                                          *
*               Telephone: 1-(800)-365-3642                                *
*                                                                          *
*    NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,   *
*    Monday through Friday except on federal holidays.                     *
*                                                                          *
****************************************************************************

PLEASE NOTE: Many users outside of the DOD computing communities receive
DDN Security bulletins.  If you are not part of DOD community, please
contact your agency's incident response team to report incidents.  Your 
agency's team will coordinate with DOD.  The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization.  A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an service to the DOD community.  Neither the 
United States Government nor any of their employees, makes any warranty, 
expressed or implied, or assumes any legal liability or responsibility for 
the accuracy, completeness, or usefulness of any information, product, or 
process disclosed, or represents that its use would not infringe privately 
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not 
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government.  The opinions of the authors expressed herein
do not necessarily state or reflect those of the United States Government, 
and shall not be used for advertising or product endorsement purposes.