UNCLASSIFIED 01 04 RR UUUU DIA WASHINGTON DC//DSM-4// AIG 7894 SECDEF WASHINGTON DC//C3I-T// JOINT STAFF WASHINGTON DC//6JT/DIRM-SCD/ NSACSS FT GEORGE G MEADE MD//T03/T711/V531/V34// DCA WASHINGTON DC//DIS/DODM// HQ AFOSI BOLLING AFB DC//IVSC// AFCSC KELLY AFB TX//SRPE// HQ ESC KELLY AFB TX//INAR// DA WASHINGTON DC//DAMI-AM/DAMI-CIC/SAIS-SS// CDRINSCOM FORT BELVOIR VA//IAOPA-OP-I/ IAOPA-OP-TO// CDRUSAOPSGP FT GEORGE G MEADE MD//IAGPC-TSE// CDR902ND MIGP FT GEORGE G MEADE MD//IAGPA-OP-I// CDR730THMIBN MUNICH GE//IAGPE-SCM// HQ AFISA BOLLING AFB DC//IND// COMNAVINTCOM WASHINGTON DC//OOQ/OOJ// CDRINSCOM WASHINGTON DC//22E3/22E1// NAVINVSERVA MUNICH GE//60MK// MICHAEL R. HIGGINS (703) 284-0182, 6 SEP 91 (DEJ) ROBERT L. AYERS, CHIEF, DSM-4, (703) 284-1276 UNCLASSIFIED UNCLASSIFIED 02 RR UUUU NAVINVSERV ERREG LONDON UK//60HQ// NAVINVSERVRA LONDON UK//60LN// AFOSI DET 7008 MUNICH GE//CC// CMC WASHINGTON DC//INTX// USCENTCOM MACDILL AFB FL//J2// USCINCEUR VAHINGEN GE//ECJ2/ECJ2-P/EUCOM AIDES// USCINCLANT NORFOLK VA//J2// USCINCPAC HONOLULU HI//J21// CINCSAC OFFUTT AFB NE//INYSCC// USCINCSO QUARRY HEIGHTS PM//J2// USCINCTRANS SCOTT AFB IL//J2// USCINCFOR FT MCPHERSON GA//J2// USSPACECOM PETERSON AFB CO//J2// USNMR SHAPE BE//DACOS INTEL// NSACSS FT MEADE MD//C912// MIBN (CI)(T) FT MEADE//IAGPA-A-CO// CDRINSCOM FORT BELVOIR VA//IAIA-AUT-L// NAVELEXSECCEN WASHINGTON DC//CODE 043// UNCLAS UNCLASSIFIED UNCLASSIFIED 03 RR UUUU U-8,XXX/DSM-4 PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO) AND SITE/FACILITY/COMMAND INFORMATION RESOURCE MANAGER (IRM); COMM CEN MUNICH GE PASS TO NAVINVSERVA MUNICH GE; USNMR SHAPE BE PASS TO COL REYNOLDS AND MAJ HILL DIA WASHINGTON DC//DSM-4// SUBJ: SECURITY ALERT FOR THE COMPUTER VIRUS DISK KILLER (ASSIST 91-4). 1. A RECENTLY REPORTED INCIDENT INVOLVING THE COMPUTER VIRUS "DISK KILLER" HAS BEEN VERIFIED. THE VIRUS ORIGINATED FROM SHRINK WRAP SOFTWARE PROVIDE WITH A MEMORY EXPANSION BOARD FOR A DOS BASED PERSONAL COMPUTER. 2. DISK KILLER, AKA "COMPUTER OGRE","DISK OGRE", OR "OGRE" IS A COMMON VIRUS INFECTING THE BOOT SECTOR THAT SPREADS ITSELF TO 3 BLOCKS ON EITHER FLOPPY OR HARD DISK. ONCE WRITTEN TO, THE BLOCKS WILL BE MARKED AS BAD IN THE FAT SO THEY CAN NOT BE OVERWRITTEN. THE BOOT SECTOR IS THEN PATCHED ALLOWING THE VIRUS TO BE EXECUTED DURING THE BOOT PROCESS AND INFECTION OF ANY DISKS EXPOSED TO THE SYSTEM. THE VIRUS KEEPS TRACK OF THE DISK USAGE TIME SINCE INITIAL INFECTION, AND DOES NO HARM UNTIL IT HAS REACHED APPROXIMATELY 48 HOURS, (ON MOST SYSTEMS THIS LIMIT WILL BE REACHED WITHIN 1-6 WEEKS OF INITIAL INFECTION). WHEN THE LIMIT IS REACHED OR EXCEEDED AND THE SYSTEM IS REBOOTED, A MESSAGE IS DISPLAYED IDENTIFYING DISK KILLER. THIS DISPLAYED MESSAGE IS: "DISK KILLER BY COMPUTER OGRE WARNING! DON'T TURN OFF THE COMPUTER OR REMOVE THE DISKETTE WHILE PROCESSING!" DISK KILLER THEN PROCEEDS TO ENCRYPT THE ENTIRE HARD DISK EFFECTIVELY DESTROYING THE INFORMATION ON THE DISK. 3. THE ONLY WAY TO PRECLUDE TOTAL DISK WIPE IS TO TURN THE COMPUTER OFF AS SOON AS POSSIBLE. THE WARNING IS PART OF THE VIRUS AND POWER MUST BE TURNED OFF TO SAVE ANY PART OF THE HARD DISK. IF DISK KILLER IS LEFT ALONE TO EXECUTE THE ONLY RECOURSE IS TO REFORMAT THE DISK. 4. SEVERAL COMPUTER VIRUS SOFTWARE PRODUCTS DETECT AND REMOVE DISK KILLER. MCAFEE VERSION 8.0 WAS USED SUCCESSFULLY IN THIS ONE CASE. REMEMBER TO REBOOT THE SYSTEM FROM A WRITE PROTECTED MASTER DISKETTE BEFORE ATTEMPTING TO REMOVE THE VIRUS OR YOU MAY REINFECT THE SYSTEM BY THE VIRUS IN MEMORY. 5. THE VENDOR THAT PROVIDED THE SOFTWARE IS JAIMCO ELECTRONICS LOCATED IN BELMONT, CA. THE SPECIFIC PRODUCT WAS AN 2 MEGABIT, 80286 MEMORY EXPANSION BOARD MODEL NUMBER JE10783. THE PRODUCT WAS DELIVERED WITH A FLOPPY DISK CONTAINING 9 FILES (THE BOOT SECTOR WAS INFECTED) IN THE JAN/FEB 1991 TIME FRAME. JAIMCO IS AWARE OF THE PROBLEM AND CONCERNED WITH NOTIFYING THE RECIPIENTS OF THE POSSIBLY CONTAMINATED DISKETTES. 6. ALL SITES WHICH CAN IDENTIFY A PURCHASE FROM JAIMCO ELECTRONICS SHOULD CHECK AND VERIFY THE STATUS OF THEIR SYSTEMS USING COMMERCIALLY AVAILABLE VIRUS DETECTION SOFTWARE. ANY SITE UNSURE OF CONTACT WITH JAIMCO, OR WHO HAVE INSTALLED A MEMORY EXPANSION BOARD ON THEIR PERSONAL COMPUTING BASE, SHOULD CHECK THOSE SYSTEMS FOR THE VIRUS. ALL SITES SHOULD PASS THE GENERAL ALERT FOR THE DISK KILLER VIRUS ON TO THE COMPUTER USER COMMUNITY. PARTICULAR ATTENTION SHOULD BE GIVEN TO ALERTING THE USERS THAT IF THE ABOVE REFERENCED WARNING APPEARS ON THEIR SCREEN TO IMMEDIATELY KILL SYSTEM POWER AND CONTACT THEIR COMPUTER SECURITY REPRESENTATIVE. 7. ASSIST CAN BE REACHED BY CALLING (703) 284-0182/1276 OR DSN 251-0182/1276 DURING DUTY HOURS OR (202) 373-8000 OR DSN 234-8000 AFTER DUTY HOURS. ASSIST IS ALSO AVAILABLE FROM A TOUCH TONE PHONE THROUGH TELEPHONIC PAGER (202) 896-6863 (AT THE TONE, ENTER THE NUMBER YOU WISH TO BE CONTACTED ON AND THE ASSIST DUTY OFFICER WILL CALL YOU BACK IMMEDIATELY). 8. POC FOR THIS ALERT IS MIKE HIGGINS, ASSIST, (703) 284-0182 OR DSN 251-0182. ANY DISCOVERY OF THE PROGRAM "SECURE.COM" SHOULD BE REPORTED IMMEDIATELY FOR FOLLOW-UP ASSIST ACTION. UNCLASSIFIED