PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS SUBJECT: BUG IN MCAFEE CLEAN.EXE 9.12V100 UTILITY FOR THE MICHELANGELO VIRUS (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-10). 1. A BUG EXISTS IN MCAFEE'S CLEAN UTILITY 9.12V100 WHEN THE UTILITY IS USED TO REMOVE THE MICHELANGELO VIRUS FROM AN INFECTED SYSTEM. THE BUG RESULTS IN THE AFFECTED DISK BECOMING UNACCESSABLE AFTER CLEAN IS USED. INDICATIONS ARE THAT THE DOS BOOT RECORD (DBR) IS BEING MISTAKENLY REPLACED BY THE MASTER BOOT RECORD (MBR). 2. MCAFEE ASSOCIATES HAS BEEN MADE AWARE OF THE PROBLEM WITH VERSION 9.12V100 OF CLEAN-UP. THE FOLLOWING INFORMATION WAS PROVIDED BY A REPRESENTATIVE OF MCAFEE: WHEN CLEAN C: [MICH] IS RUN TO REMOVE THE MICHELANGELO VIRUS ON SOME COMPUTER SYSTEMS, THE ORIGINAL MASTER BOOT RECORD OF THE HARD DISK IS RESTORED TO THE WRONG LOCATION, RESULTING IN A NON-ACCESSABLE HARD DRIVE UNTIL REPAIRED. THIS PROBLEM DOES NOT OCCUR CONSISTENTLY AND WE ARE INVESTIGATING IT NOW. IN THE MEANTIME, ANYONE WISHING TO REMOVE THE MICHELANGELO VIRUS FROM A HARD DISK SHOULD USE THE [GENP] I.D. CODE WITH CLEAN-UP INSTEAD. FOR EXAMPLE: CLEAN C: [GENP] THIS WILL REMOVE THE MICHELANGELO VIRUS BY REPLACING THE INFECTED PORTION OF THE MASTER BOOT RECORD WITH A CLEAN PIECE OF CODE FROM INSIDE THE CLEAN.EXE FILE. 3. WHILE VERIFYING THIS PROBLEM, ASSIST PERSONNEL NOTICED THAT THE MCAFEE SCAN PROGRAM WILL INCORRECTLY IDENTIFY THE MICHELANGELO VIRUS UNDER CERTAIN CIRCUMSTANCES. WHEN THE VIRUS IS ACTIVE IN MEMORY AND THE PROGRAM IS EXECUTED WITH THE 'SCAN C: /M' OPTION, SCAN CORRECTLY IDENTIFIES THE MICHELANGELO VIRUS. HOWEVER IF THE PROGRAM IS EXECUTED SIMPLY AS 'SCAN C:', SCAN INCORRECTLY IDENTIFIES THE VIRUS IN MEMORY AS 'STONED'. THIS INCORRECT IDENTIFICATION WAS VERIFIED TO EXIST IN MCAFEE SCAB VERSIONS 95, 99, AND 100. 4. ANOTHER WAY TO CLEAN BOOT SECTOR VIRUSES FROM INFECTED SYSTEMS IS TO RUN THE FDISK UTILITY AFTER BOOTING THE SYSTEM UP FROM A CLEAN, WRITE PROTECTED SYSTEM DISKETTE. ASSIST ALSO HAS A UTILITY AVAILABLE THAT WILL SPECIFICALLY REMOVE THE MICHELANGELO VIRUS FROM INFECTED SYSTEMS. THE UTILITY IS AVAILABLE ON THE ASSIST ELECTRONIC BULLETIN BOARD SYSTEM WHICH CAN BE REACHED AT (703) 696-8726, DSN 226, IN THE 'SECURITY TOOLS' AREA OF THE FILE SECTION. 5. ASSIST STRONGLY SUGGESTS THAT DOD SITES SCAN ALL DOS SYSTEMS WITH A VIRUS DETECTION PACKAGE THAT WILL DETECT THE MICHELANGELO VIRUS BEFORE THE MARCH 6TH TRIGGER DATE OF THE VIRUS. THE VIRUS IS STILL BEING DETECTED IN A SIGNIFICANT NUMBER OF SYSTEMS EVEN THOUGH AN INTENSE PUBLIC AWARENESS CAMPAIGN WAS LAUNCHED TO INFORM USERS ABOUT THE VIRUS PRIOR TO MARCH 6TH OF 92. 6. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-759- 7243), PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT(AT-SIGN)DDN- CONUS.DDN.MIL". BT