PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS U-1,234/DS-SIM {DCPO} SUBJ: NEW VIRUS ON MACINTOSH COMPUTERS: MBDF A {AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-41} 1. DISCUSSION: ASSIST HAS LEARNED THAT A NEW MACINTOSH VIRUS, MBDF A, {NAMED FOR THE RESOURCE IT EXPLOITS} HAS BEEN DISCOVERED. THIS VIRUS DOES NOT APPEAR TO MALICIOUSLY CAUSE DAMAGE, BUT SIMPLY COPIES ITSELF FROM ONE APPLICATION TO ANOTHER. MBDF A WAS DISCOVERED AT TWO ARCHIVE SITES IN NEWLY POSTED GAME APPLICATIONS, AND HAS A HIGH POTENTIAL TO BE VERY WIDESPREAD. THIS VIRUS IS AN "IMPLIED LOADER" VIRUS, AND IT WORKS IN A SIMILAR MANNER TO OTHER IMPLIED LOADER VIRUSES SUCH AS CDEF AND MDEF. ONCE THE VIRUS IS ACTIVE, CLEAN APPLICATION PROGRAMS WILL BECOME INFECTED AS SOON AS THEY ARE EXECUTED. MBDF A INFECTS ONLY APPLICATIONS, AND DOES NOT AFFECT DATA FILES. THIS VIRUS REPLICATES UNDER BOTH SYSTEM 6 AND SYSTEM 7. WHILE MBDF A MAY BE PRESENT ON ALL TYPES OF MACINTOSH SYSTEMS, IT WILL NOT SPREAD IF THE INFECTED SYSTEM IS A MACPLUS OR A MAC SE {ALTHOUGH IT DOES SPREAD ON AN SE/30}. 2. THE MBDF A VIRUS HAS NO MALICIOUS DAMAGING CHARACTERISTICS, HOWEVER, IT MAY CAUSE PROGRAMS TO INEXPLICABLY CRASH WHEN AN ITEM IS SELECTED FROM THE MENU BAR. SOME PROGRAMS, SUCH AS THE SHAREWARE "BEHIERARCHIC" PROGRAM, HAVE BEEN REPORTED TO NOT OPERATE CORRECTLY WHEN INFECTED. APPLICATIONS WRITTEN WITH SELF-CHECKING CODE, SUCH AS THOSE WRITTEN BY THE CLARIS CORPORATION, WILL INFORM THE USER THAT THEY HAVE BEEN ALTERED. WHEN MBDF A INFECTS THE SYSTEM FILE, IT MUST RE-WRITE THE ENTIRE SYSTEM FILE BACK TO DISK; THIS PROCESS MAY TAKE TWO OR THREE MINUTES. IF THE USER ASSUMES THE SYSTEM HAS HUNG, AND REBOOTS THE MACINTOSH WHILE THIS IS OCCURRING, THE ENTIRE SYSTEM FILE WILL BE CORRUPTED AND AN ENTIRE RELOAD OF SYSTEM SOFTWARE MUST THEN BE PERFORMED. 3. RECOMMENDATION: THIS VIRUS CAN BE SAFELY ERADICATED FROM MOST INFECTED PROGRAMS, ALTHOUGH ASSIST RECOMMENDS THAT ALL DODIIS SITES RESTORE ALL INFECTED FILES FROM AN UNINFECTED BACKUP. BECAUSE MBDF A HAS BEEN RECENTLY DISCOVERED, ONLY ANTI-VIRAL PACKAGES UPDATED SINCE FEBRUARY 20, 1992 WILL LOCATE AND ERADICATE THIS VIRUS. ALL THE MAJOR MACINTOSH ANTI-VIRAL PRODUCT VENDORS ARE AWARE OF THIS VIRUS AND HAVE SCHEDULED UPDATES FOR THEIR PRODUCTS. THESE UPDATES HAVE ALL BEEN AVAILABLE SINCE FEBRUARY 24, 1992. THE UPDATED VERSIONS OF SOME PRODUCTS ARE DISINFECTANT 2.6, GATEKEEPER 1.2.4, VIREX 3.6, SAM 3.0, VIRUSDETECTIVE 5.0.2, AND RIVAL 1.1.10. SOME MACINTOSH APPLICATIONS {SUCH AS THE CLARIS SOFTWARE MENTIONED ABOVE} MAY CONTAIN SELF-VERIFICATION PROCEDURES TO ENSURE THE PROGRAM IS VALID BEFORE EACH EXECUTION; THESE PROGRAMS WILL NOTE UNEXPECTED ALTERATIONS TO THEIR CODE AND WILL INFORM THE USER. 4. MBDF A HAS BEEN POSITIVELY IDENTIFIED AS PRESENT IN TWO SHAREWARE GAMES DISTRIBUTED BY RELIABLE ARCHIVE SITES: "OBNOXIOUS TETRIS" AND "TEN TILE PUZZLE". THE PROGRAM "TETRICYCLE" {SOMETIMES NAMED "TETRIS-ROTATING"} IS A TROJAN HORSE PROGRAM WHICH INSTALLS THE VIRUS. IF YOU HAVE DOWNLOADED THESE OR ANY OTHER SOFTWARE SINCE FEBRUARY 14, 1992 {THE DAY THESE PROGRAMS WERE LOADED TO THE ARCHIVE SITES}, ASSIST RECOMMENDS THAT YOU ACQUIRE AN UPDATED VERSION OF AN ANTI-VIRAL PRODUCT AND SCAN YOUR SYSTEM FOR THE EXISTENCE OF MBDF A. 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."