NASIRC BULLETIN #94-15 May 5, 1994 Macintosh Virus Found on American Vacuum Society CD-ROM =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification that a Macintosh virus has been found on the CD-ROM "Journal of Vacuum Science and Technology A&B" (Second Series Volume 12, 1994)". The CD is "An official journal of the American Vacuum Society Published for the Society by the American Institute of Physics." SYSTEMS AFFECTED: Macintosh systems running System 6.x or 7.x; Power Macintosh systems may also be vulnerable. Although this CD is also readable by DOS and Windows systems, they are NOT affected by this problem. THE PROBLEM: A Macintosh virus has been discovered in the file called "README." on in the top-level directory of the CD-ROM named above. All other Mac files on the disc, including README.DOC, are safe; the only infected file is "README." Unfortunately, users must access this file to read or print out the user manual for this CD. The virus, apparently introduced by mistake, is present on all known copies of the CD. Look for the following titles imprinted on the disc: Main title (large, bold type): "JVST A&B Vol. 12 1Q94" Subtitle (small): "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)" The virus has been identified by SAM Virus Clinic as the old nVir-A strain, which can infect the system file and applications. The virus will lie dormant until an infected file is opened a certain number of times (the virus counter decrements differently for different file types), at which point it may cause printing errors, system crashes, and other problems. Note that nVir-A is one of the oldest Macintosh viruses, dating back to 1987. THE FIX: Unfortunately, there is no way to "fix" the CD-ROM itself. NASIRC recommends that you do NOT run the "README." file directly from the CD-ROM; copy it to a regular disk and clean it with a utility such as Disinfectant before double-clicking it. If you have already run "README.", your Macintosh is probably already infected with the virus. You must run an anti-viral utility (from a *locked* floppy) to repair any infected files on your hard drive, and be sure to also disinfect *all* floppy disks you have used since the first time "README." was opened. All current versions of Macintosh anti-viral programs can recognize & combat the nVir-A virus if your Macintosh becomes infected. You can acquire NASIRC's "MacDefender" package (which includes Disinfectant) as follows: ftp://nasirc.nasa.gov/~toolkits/Mac/macdefender17.sea -- binary - or - ftp://nasirc.nasa.gov/~toolkits/Mac/macdefender17.hqx -- ascii NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin or the MacDefender package, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Karyn Pichnarczyk of the Department of Energy Computer Incident Advisory Capability (CIAC) for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! NASIRC bulletins ~/information ! various informational files ~/toolkits ! patches & automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".