NASIRC BULLETIN #93-07 November 16, 1993 New Macintosh Viruses (MBDF-B & CODE-1) Reported =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has learned of the recent discovery of two new Macintosh viruses, CODE-1 and MBDF-B, earlier this month. CODE-1 alters applications and the system file, renames hard disks, and may crash system or damage some files. MBDF-B has few symptoms (Claris applications will indicate they have been modified, some other software may not work), but may still cause crashes. Both viruses are functional under both Systems 6 and 7 on all Macintosh models, although MBDF-B may not work on Plus and SE models. THE CODE-1 VIRUS This virus spreads to application programs and the system file. Aside from spreading, its only explicit action is to rename the hard disk "Trent Saburo" if the system is restarted on October 31 of any year. However, the virus also changes several internal code pointers that may be set by various extensions and updates; this may prevent some applications from operating properly (if at all), and my crash the system under certain conditions. The behavior of this virus depends on the nature of the hardware and software configuration of the infected machine. THE MBDF-B VIRUS This virus seems to be a modification an re-release of the old MBDF-A virus. Like the original, this virus does not intentionally cause damage, but it may spread widely. Although MBDF-B does not necessarily exhibit any symptoms on infected systems, some abnormal behavior (system crashes, malfunctions in various programs) was reported in machines infected with the original strain which may possibly be traced to the virus. Some specific symptoms include: -- Infected Claris applications will indicate that they have been altered -- The "BeHierarchic" shareware program ceases to work correctly. -- Some programs will crash if something in the menu bar is selected with the mouse. The MBDF-B virus should behave similarly and will spread under both System 6 and System 7. However, it seems to have no effect on Macintosh Plus and SE models, although it *can* spread from those models to other systems. COMBATING THE VIRUSES The NASIRC distributes the MacDefender package, which includes the most current version (v3.3) of John Norstad's "Disinfectant" virus hunter-killer. Acquisition of MacDefender is detailed below; information about other Macintosh anti-viral programs/packages follows. Acquiring MacDefender via ANON FTP from NASIRC.NASA.GOV (198.116.23.199): cd /toolkits/mac get macdefender.sea -- this is a self-extracting BINARY archive - or - get macdefender.hqx -- this is a binhexed (ASCII) version. Acquiring MacDefender via DECNET COPY from DFTNIC (15365): COPY DFTNIC::DISK$MOE:[ANONYMOUS.FILES.SOFTWARE.MAC]MACDEFENDER.SEA -- self-extracting (BINARY) archive version of the package. - or - COPY DFTNIC::DISK$MOE:[ANONYMOUS.FILES.SOFTWARE.MAC]MACDEFENDER.HQX -- BinHexed (ASCII) version of the self-extracting archive. OTHER AVAILABLE MACINTOSH ANTI-VIRALS Central Point Anti-Virus v 3.0a (Commercial software); also available on the Central Point BBS @ 1-503-690-6650. -- Registered users will receive postcards. Also, users can download the file 'Mac CPAV Antidotes 11/5/93' from the usual places to receive the update. Disinfectant 3.3 (freeware, courtesy of Northwestern U. John Norstad); part of NASIRC's MacDefender package, also available at usual archive sites and bulletin boards (ftp.acns.nwu.edu, AppleLink, CompuServe, America Online, sumex-aim.stanford.edu, rascal.ics.utexas.edu, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac) Gatekeeper 1.2.9 (freeware, courtesy of Chris Johnson); avaialble from usual archive sites and BBS's (rascal.ics.utexas.edu, comp.binaries.mac, microlib.cc.utexas.edu, sumex-aim.stanford.edu). -- Version 1.2.8 is already effective against MBDF-B. Gatekeeper Aid will identify it as an "Unknown Strain" of MBDF, but will remove it without difficulty. Rival CODE-1 Vaccine (Commercial software); also available from AppleLink, America Online, Calvacom, Compuserve, Internet XELPH's Customer Service @ 1-415-327-9563. -- The vaccine will be e-mailed to all registered users. -- The existing Rival MBDF Vaccine already detects/removes MBDF-B. SAM Virus Clinic and Intercept v3.5.9 (Commercial software); also available from CompuServe, America Online, Applelink, and Symantec Customer Service @1-800-441-7234. -- Updates to various versions of SAM to detect and remove CODE-1 and MBDF-B are available from the above sources. Virex 4.1 (Commercial software); also available from Datawatch Corporation's BBS @ 1-919-549-0711. -- Virex currently detects and repairs the MBDF-B virus but identifies it as the MBDF-A virus. -- UDV for CODE-1 virus; Guide Number = 13656448 1: 020A 30FA 7D90 7610 / 8C 2: 00A9 C60C AF00 0A00 / F1 3: 3EA0 0B4E 7581 8090 / 59 VirusDetective 5.0.10 (Shareware); available from various Mac archives. -- Search strings for the CODE-1 virus will be sent only to registered users via e-mail (registered users without e-mail access should contact the author). -- The MBDF-B virus is already detected by the MBDF-A search string. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Gene Spafford, COAST Project Director, and Purdue University's PCERT for their investigations, analysis and coordination of the information contained in this bulletin. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Security checklists, toolkits and guidance are available from the NASIRC online archives. Contact the NASIRC Helpdesk for more info and assistance with toolkits or security measures. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-306-1010 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.