**************************************************************************
Security Bulletin 9206 DISA Defense Communications System
February 24, 1992 Published by: DDN Security Coordination Center
(
[email protected]) 1-(800) 365-3642
DEFENSE DATA NETWORK
SECURITY BULLETIN
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using
login="anonymous" and password="guest". The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g., scc/ddn-security-9206).
**************************************************************************
New Macintosh Virus Discovered
Virus: MBDF A
Damage: minimal, but see below
Spread: may be significant
Systems affected: Apple Macintosh computers. The virus spreads on
all types of systems except MacPlus systems and
(perhaps) SE systems; however, it may be present
on MacPlus and SE systems and not spread.
A new virus, currently named "MBDF A", has been discovered on Apple
Macintosh computer systems. The virus does not intentionally cause
damage, but it does spread widely. Instances of the virus have been
found at a number of sites worldwide.
The virus has been discovered in games at several archive sites.
At those sites, the games "Obnoxious Tetris" and "Ten Tile Puzzle" are
definitely infected. It is possible that other files may be infected
at some archive sites. You should be especially suspicious of any games
named "tetris-rotating" or "Tetricycle".
The virus does not necessarily exhibit any symptoms on infected
systems. Some abnormal behavior has been reported that may possibly be
traced to the virus. These include Mac crashes and malfunctions in
various programs.
Some specific symptoms include:
* Infected Claris applications will indicate that they have
been altered and will refuse to run.
* The "BeHierarchic" shareware program ceases to work correctly.
* Some programs will crash if something in the menu
bar is selected with the mouse.
The virus works under both System 6 and System 7.
If you have downloaded any files from an archive site recently,
especially games, please do not use them or distribute copies of them
to anyone else until you are certain they are not infected.
Furthermore, we very strongly recommend that you DO NOT get any files
from the archive sites until the moderators at those sites have had an
opportunity to remove any infected files.
Currently, the virus is not found by (or evades) most anti-virus
tools. Authors of all the major Macintosh anti-virus tools --
including commerical products such as SAM, Rival and Virex, and
shareware and freeware programs such as Disinfectant, Gatekeeper, and
Virus Detective -- have been informed of this new virus. All are
planning to release updates to their software within the next few
days. These releases will be through the normal distribution
channels.
Specific information on some of these products follows:
Tool: Disinfectant
Revision to be released: 2.6
Where to find: usual archive sites and bulletin boards --
ftp.acns.nwu.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, AppleLink,
America Online, CompuServe, Genie, Calvacom,
MacNet, Delphi, comp.binaries.mac
When available: (expected) late 2/21/92
Tool: Rival
Revision to be released: 1.1.10
Where to find it: AppleLink, America Online, Internet, Compuserve.
When available: 2/21/92
Other info: The only change with 1.1.9 is the ability to detect
this vaccine (MBDF A).
Tool: Virex INIT and application
Revision to be released: 3.6 (for both products)
Where to find: Microcom, Inc (919) 490-1277
When available: User definable virus string available 2/21/92
3.6 versions available 2/24/92
Comments:
Virex 3.6 (app and INIT) will detect and repair the virus. All
Virex subscribers will automatically be sent an update on
diskette. All other registered users will receive a notice with
information on how to update prior versions so that they will
be able to detect MBDF. This information is also available on
Microcom's BBS. (919)419-1602.
Tool: Virus Detective
Revision to be released: 5.0.1
Where to find: Usual bulletin boards will announce a new search
string. Registered users will also get a mailing
with the new search string.
When available: now (2/20/92)
Comments: search string is
"Resource MBDF & ID=0 & WData A9ABA146*4446#4A9A0"
Special thanks to the people at Claris who included self-check code
in their Macintosh software products. Their foresight resulted in
an early detection of the virus and has thus helped the entire Mac
community. We strongly encourage other vendors to consider doing the
same with their products.
The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University
as the author of this document.
****************************************************************************
The point of contact for MILNET security-related incidents is the
Security Coordination Center (SCC).
E-mail address:
[email protected]
Telephone: 1-(800)-365-3642
NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,
Monday through Friday except on federal holidays.
****************************************************************************
Downloaded From P-80 International Information Systems 304-744-2253
