=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL Don Stikvoort Index : S-93-02 Distribution : SURFnet constituency Page : 1 Classification: External Version: Final Subject : Macintosh "Hermes Optimizer 1.1" problem Date : 05-jan-93 =============================================================================== CERT-NL received information from Gene Spafford of FIRST about a possibly damaging version of a Macintosh Hypercard stack named "Hermes Optimizer 1.1" . Please distribute further and/or warn your users if needs be. In case you have any questions please address the party responsible for delivering the software. CERT-NL has no specific expertise in the area covered below. In critical situations however, CERT-NL can address the originator of the below message and ask for further guidance. in case you find a stack as mentioned below, please send us a copy, which we will pass on for further analysis. The original warning now follows. **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** The Problem: We have received an unconfirmed report of a nasty trojan horse Hypercard stack for Macintosh computers, or else a very buggy regular stack. The stack is named "Hermes Optimizer 1.1" and was allegedly distributed through the Olympus BBS, although by now it may have gone farther. According to the report, the "About" message shows the author as 70142,210 (CompuServe) and FARRADAY1 (AppleLink). It claims to reduce fragmentation in Hermes Shared files. However, according to the report, it actually renames all the files on the hard disk, then deletes them. This may be the a buggy program. It may be a malicious program. In either case, the Mac community has not yet had a chance to analyze a copy. What to do: Warn your users not to run this stack if they find it. If they do find it, have them provide you with a copy to either analyze and/or send on to me to have analyzed. Please do *not* call this a virus. It would also be unfair at this juncture to label it as malicious, either -- we have not yet analyzed it. At this point, it might be best to say that it has potentially damaging bugs (or similar). **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================