Date: 06 Oct 1994 14:21:21 -0400 (EDT) From: Ron Tencati +1-301-441-4081 Subject: NASIRC BULLETIN #94-31: Virus Found in Mac Sys 7.5 Sample Upgrade Kit Sender: first-request@csrc.ncsl.nist.GOV To: first-info@first.ORG Cc: TENCATI@nssdca.gsfc.nasa.GOV Reply-to: Ron Tencati +1-301-441-4081 Organization: FIRST, the Forum of Incident Response & Security Teams Sub-Organization: FIRST Secretariat X-Sequence: first-info.0163 [The following bulletin was released late yesterday by NASIRC to its NASA constituents. The First-Teams exploder was omitted from the initial mailing] NASIRC BULLETIN #94-31 October 5, 1994 VIRUS FOUND IN MACINTOSH SYSTEM 7.5 SAMPLE UPGRADE KIT =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification that certain files being included in the sample upgrade for Macintosh System 7.5 are infected with the MBDF virus. PLEASE NOTE THAT WE DO NOT HAVE COMPLETE INFORMATION ABOUT THIS PROBLEM AT THE CURRENT TIME. SYSTEMS AFFECTED: Any Macintosh using files from the sample upgrade. THE PROBLEM: Information received by NASIRC indicates that Apple Computer makes the sample System 7.5 upgrade package available to Apple Federal Represen- tatives over the network; the applications "HDSC Setup" and "Disk First Aid" that come with this sample upgrade package are infected with a variant of the MBDF virus (originally discovered in late 1993). These two applications are *not* required, and must be copied manually (the Installer utility does not access them). All other parts of the sample upgrade package are apparently virus-free. Common symptoms of this virus include: the Mac seems to lock up for the time it takes for the virus to infect the System file; "BeHierarchic" stops working properly; Claris applications will state they have been altered; and/or some programs will crash if the mouse button is clicked with the cursor in the menu bar. THE FIX: Any Apple Federal Representatives who have downloaded the sample System 7.5 upgrade should immediately scan their systems' hard disks (and all floppies used on that system since the download) with Disinfectant or a similar anti-viral product. Any Macintosh that has the sample System 7.5 upgrade installed (and all floppies used on that machine since the installation) should also immediately be scanned. The "HDSC Setup" and "Disk First Aid" applications included with the sample System 7.5 upgrade package should NOT be copied from the server; this should prevent the spread of the virus. (NOTE - The server itself has been purged of infected files.) The MBDF virus itself is easily recognized and eradicated by most anti- viral packages. NASIRC suggests that NASA users needing such a tool acquire the "MacDefender" package (which includes the latest version of Disinfectant) from the NASIRC Anonymous FTP server with either of the following URLs: ftp://nasirc.nasa.gov/toolkits/Mac/macdefender.sea (binary version) ftp://nasirc.nasa.gov/toolkits/Mac/macdefender.hqx (binhexed version) (Please note that NASIRC's Anonymous FTP and WWW servers are accessible ONLY to systems in the .nasa.gov domain!) NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Frank Martin and Lee Snapp of NASA-JSC for passing this information on to us. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/training ! contains NASIRC course abstracts ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues.