From pch@assist.ims.disa.mil Tue Dec 14 15:26:36 1993 Received: from assist.ims.disa.mil by shilo.ims.disa.mil (4.1/2.4) id AA01506; Tue, 14 Dec 93 15:26:36 EST Received: from shilo.ims.disa.mil by assist.ims.disa.mil (4.1/2.4) id AA02196; Tue, 14 Dec 93 15:26:37 EST Received: by shilo.ims.disa.mil (4.1/2.4) id AA01503; Tue, 14 Dec 93 15:26:10 EST Message-Id: <9312142026.AA01503@shilo.ims.disa.mil> To: assist-bulletin@assist.ims.disa.mil Subject: ASSIST 93-32 Date: Tue, 14 Dec 93 15:25:28 -0500 From: Pete Hammes Status: RO -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICozCCAgwCAREwDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxO DU5MTZaFw05NTEyMDkxODU5MTZaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDFFJkcaDOuS+6Ai2vmT bwY6JRbhdzPsl6X60hnXruOw2WvrAhc8BTFB+id75m3M55i+Th6MxWH20QHyQq5u yVghOu/s37OxIrj7irNPjtUdPv8b2m4hNGEW53QH6GmXkxLmgLzOhookpoYPC+uw 2MzibDnleVI50d2m//XsWs7hwIBAzANBgkqhkiG9w0BAQIFAAOBgQDHH6CmBoyWU zPlqVnEWYKIBsifqdTJzkKfnoST7NDRIakUP49FP86Cyy1+2AKpUCWaxjq+wGHCH RCNFCCrOwdC9z8XwJal/c69ml6eLRhOoX77ANndpU9E5+eHxP+6Ute6lc63K7+Lz 5xOULjmgaMmKDkTXveVcQO6R2CTY37vcA== Issuer-Certificate: MIICNTCCAZ4CARswDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMTExMDIxMjIxNloXDTk0MDIxODIxMjIxNlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAtk4EYPgH0//H896t95E+4m8zWRxwyAULr a5wWThZ1TNjwdDQ3HbYC2IhXUA2N2Vzic5SWBFI6BRmEjWQrrgUNi4a26zZc6jiS 3OebUYo75t1kkzyRaEf0o3DPnkvo0FQziUJaFpu6Z1/+ZoGu4UURwr/jaA+g1oZC 6kDyRnygWc= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,xKWBvjoCJx7wYdxGNmWropy3qkzKiKrH381Mt94dhyo EBqp3HoD+NjcPQetYoQzhUIJU59wUbn31BsmBRcA8K8qb3gt4vJmz3F59f5bLR6n VQCF7wF7C7ZvHP8oX8LeQvFTtvCICPcR3mWvUeqhma6583CKa4jAGedYcwET+198 = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-32 Release date: 14 December 1993, 3:30 PM EDT Subject: New Macintosh viruses reported. BACKGROUND: This bulletin contains information about two new Macintosh viruses, CODE-1 and MBDF-B, that were discovered earlier this month. CODE-1 alters applications and the system file, renames hard disks and may cause the system to crash or damage some files. MBDF-B has few symptoms (Claris applications will indicate they have been modified, some other software may not work), but may cause system crashes. Both viruses are functional under both Systems 6 and 7 on all Macintosh models, although MBDF-B may not work on Plus and SE models. CODE-1 VIRUS: Spreads to application programs and the system file, and renames the hard disk "Trent Saburo" if the system is restarted on October 31 of any year. CODE-1 also changes several internal code pointers which may be set by various extensions and updates, and prevent some applications from functioning properly, or cause a system crash. The behavior of the virus can vary depending on the hardware and software configuration of the infected machine. MBDF-B VIRUS: Appears to be a modification of the old MBDF-A virus and does not intentionally cause damage, but has the capability to spread rapidly. While MBDF-B does not necessarily exhibit any symptoms on infected systems, some abnormal behavior (system crashes, malfunctions in various programs) was reported in machines infected with the original strain, and may have been caused by the virus. Some specific symptoms reported, but not verified as being caused by MBDF-B, include: -- Infected Claris applications will indicate that they have been altered -- The "BeHierarchic" shareware program ceases to work correctly. -- Some programs will crash if something in the menu bar is selected with the mouse. The MBDF-B virus should behave similarly and will spread under both System 6 and System 7, however, it seems to have no effect on Macintosh Plus and SE models, although it can spread from these models to other systems. RECOMMENDATIONS - The major Macintosh virus detection software vendors have taken steps to update their products to detect both of these new viruses. ASSIST recommends that sites utilizing Macintosh equipment obtain the most recently updated version of one of these products, and scan all Macintosh systems and files on a regular basis. The "Disinfect 3.3" Mac antivirus software detects both of these viruses, and is available for downloading from the ASSIST bbs (see bbs contact info below), "security tools" file area. Disinfectant is a freeware product maintained courtesy of John Norstad at Northwestern University, and is also available via anonymous ftp on the Internet from ftp.acns.nwu.edu (IP 129.105.16.52) in the /pub/disinfectant directory. Other archive sites where Disinfectant and other Macintosh antivirus software can be found are (see below for additional product descriptions): AppleLink, CompuServe, America Online, sumex-aim.stanford.edu, rascal.ics.utexas.edu, Genie, Calvacom, MacNet, Delphi, and comp.binaries.mac. Central Point Anti-Virus v 3.0a (Commercial software); available on the Central Point BBS @ 1-503-690-6650. Registered users will receive that contain update information. Also, users can download the file 'Mac CPAV Antidotes 11/5/93' from the archive sites to receive the update. Gatekeeper 1.2.9 (freeware, courtesy of Chris Johnson); available from archive sites. Version 1.2.8 is already effective against MBDF-B. Gatekeeper Aid will identify it as an "Unknown Strain" of MBDF, but will remove it without difficulty. Rival CODE-1 Vaccine (Commercial software); available from Applelink America Online, Calvacom, Compuserve, Internet XELPH's Customer Service @ 1-415-327-9563. The vaccine will be e-mailed to all registered users. The existing Rival MBDF Vaccine already detects/ removes MBDF-B. SAM Virus Clinic and Intercept v3.5.9 (Commercial software); available from CompuServe, America Online, Applelink, and Symantec Customer Service @1-800-441-7234. Updates to various versions of SAM that detect and remove CODE-1 and MBDF-B are available from the above sources. Virex 4.1 (Commercial software); available from Datawatch Corporation's BBS @ 1-919-549-0711. Virex currently detects and repairs the MBDF-B MBDF-B virus but identifies it as the MBDF-A virus. UDV for CODE-1 virus; Guide Number = 13656448 1: 020A 30FA 7D90 7610 / 8C 2: 00A9 C60C AF00 0A00 / F1 3: 3EA0 0B4E 7581 8090 / 59 VirusDetective 5.0.10 (Shareware); available from archive sites. Search strings for the CODE-1 virus will be sent only to registered users via e-mail (registered users without e-mail access should contact the author). The MBDF-B virus is already detected by the MBDF-A search string. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. -----END PRIVACY-ENHANCED MESSAGE-----