**********************************************************************

DDN Security Bulletin 02         DCA DDN Defense Communications System
05 Oct 89               Published by: DDN Security Coordination Center
                                    ([email protected])  (800) 235-3155

                       DEFENSE  DATA  NETWORK
                         SECURITY  BULLETIN

The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest".  The bulletin
pathname is SCC:DDN-SECURITY-nn (where "nn" is the bulletin number).

**********************************************************************

  COLUMBUS DAY / OCTOBER 12TH / FRIDAY THE 13TH / DATACRIME VIRUS

1.  Recently, there has been  considerable attention given to a family
of MS/DOS-PC  viruses  with many  names:   Columbus Day,  October 12th
(later redesignated  October 13th),  Friday the  13th, and  DataCrime.
According to the Computer Virus Industry Association, there have  been
only  SEVEN  confirmed  U. S.  "sightings"  to  date.   Based on this,
there may be only a few dozen sites affected.

2.  Normally the SCC  would not  be involved  with a personal computer
virus incident (unless it was propagated via the DDN).  However,  this
virus  has  received  extensive  media  coverage,  necessitating a DDN
Security Bulletin to answer some commonly asked questions.

+  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +

Q:  What is known about this Columbus Day/DataCrime virus?

A:  There  are  several  variants  of  DataCrime.  They are designated
"1168", "1280", and "DataCrime II" (or "1514"); this naming convention
is based on  the number of  bytes each added to the .COM  files it has
infected.  DataCrime II infects both .EXE and .COM files.


Q:  How does DataCrime spread?

A:  The DataCrime Viruses are designed to infect via diskette sharing.
There is no network component  (unlike the infamous  November Internet
Worm),  therefore they  CANNOT traverse the  DDN unassisted.  The only
way a DataCrime virus can be spread through a network is by FTP'ing an
infected file into a PC and running it.


Q:  What is the result?

A:  On or after Friday, 13 October 1989, these software timebombs will
reformat cylinder 0 of any  infected hard disk (drive C:)  and display
the message,  "DATACRIME VIRUS RELEASED: 1 MARCH 1989".   The infected
PC cannot boot from drive C:, and all data on it is unreachable.


Q:  How can DataCrime (and other viruses) be stopped?

A:  The  National  Institute of  Standards  and Technology  (NIST) has
recently  issued  guidelines  for  controlling  malicious  software in
various computer  environments, including  PCs and  networks.  The SCC
has obtained  an electronic copy of  NIST Special Publication 500-166,
"Computer Viruses and Related Threats:  A Management Guide" by John P.
Wack  and  Lisa J. Carnahan.   It may be obtained via FTP  (or Kermit)
from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and
password="guest".  The pathname is SCC:NIST-001.

**********************************************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.