NASIRC BULLETIN # 94-04 March 8,1994 New Macintosh Virus ("INIT-9403") Discovered =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification that a new Macintosh virus was discovered in Italy, called "INIT-9403" (one vendor has instead named it "SysX"). Although the risk to most NASA-owned Macs appears to be minimal, NASIRC has chosen to issue this Bulletin as a precautionary measure. AFFECTED: The Finder, then other applications; if unchecked, the virus attempts to destroy all mounted disk volumes. This virus apparently affects ONLY the Italian-language version of the MacOS, both System 6 and 7. It is recommended that infected files be REPLACED after disinfection, rather than merely repaired. DETAILS: This highly malicious virus was discovered in Italy at the beginning of March 1994, with a possible initial distribution vector of pirated commercial software. When the infected application is run, the virus installs itself in an invisible file on the boot volume. When the Mac is restarted, the virus modifies the Finder, from where it can spread to other applications (and other Macs). When the virus is triggered (after a certain number of files have been infected), it attempts to completely erase the boot volume (your "Startup Device") by writing random data all over it. The virus will also attempt to erase all mounted disks larger than 16MB. The boot volume will be unrecoverable but other erased disks might be salvageable with disk utilities. FIX: Although this virus apparently affects only Italian-language versions of System 6.x and System 7.x, the damage it can cause has led NASIRC to produce an updated version of the MacDefender Anti-Viral Tool Kit. This update will include version 3.4.1 of the "Disinfectant" virus hunter-killer and version 3.7 of the "MacHelper" HyperCard stack. The new MacDefender package will be made available as soon as NASIRC has acquired version 3.4.1 of Disinfectant (a bug has been discovered in version 3.4 of Disinfectant, which was released in response to this new virus). NASIRC will continue to monitor the situation and will post additional information as it becomes available. If you have any difficulties in acquiring MacDefender or have a question about this situation, please contact NASIRC at any of the venues listed below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Gene Spafford of the PCERT for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits ! contains automated toolkit software /bulletins ! contains NASIRC bulletins Information maintained in these directories is be updated on a continuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".