NASIRC BULLETIN # 94-04                                       March 8,1994

               New Macintosh Virus ("INIT-9403") Discovered
       ===========================================================
             __    __      __      ___   ___  ____     ____  
            /_/\  /_/|    /_/     / _/\ /_/| / __/ \  / __/\ 
            | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/ 
            | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |    
            | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ 
            |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/ 
           NASA Automated Systems Incident Response Capability
       ===========================================================

  NASIRC recently received notification  that a new Macintosh virus was
  discovered in Italy, called "INIT-9403" (one vendor has instead named
  it "SysX").  Although the risk to  most NASA-owned Macs appears to be
  minimal, NASIRC has chosen to issue this  Bulletin as a precautionary
  measure.

  AFFECTED:

  The Finder, then other applications; if unchecked, the virus attempts
  to destroy all  mounted disk volumes.   This virus apparently affects
  ONLY the  Italian-language version of the MacOS, both System 6 and 7.
  It is recommended that infected files be REPLACED after disinfection,
  rather than merely repaired.

  DETAILS:

  This highly malicious virus was discovered  in Italy at the beginning
  of March 1994, with a possible initial distribution vector of pirated
  commercial software.  When the infected application is run, the virus
  installs itself in an invisible file on the boot volume. When the Mac
  is restarted, the virus modifies the Finder, from where it can spread
  to other applications (and other Macs).   When the virus is triggered
  (after a certain number of files  have been infected), it attempts to
  completely erase  the boot volume (your "Startup Device")  by writing
  random data  all over it.   The virus will also  attempt to erase all
  mounted disks larger than 16MB. The boot volume will be unrecoverable
  but other erased disks might be salvageable with disk utilities.

  FIX:

  Although this virus apparently affects only Italian-language versions
  of System 6.x and System 7.x, the  damage it can cause has led NASIRC
  to produce an updated version of the MacDefender Anti-Viral Tool Kit.
  This update  will include  version 3.4.1 of the  "Disinfectant" virus
  hunter-killer and version 3.7 of the "MacHelper" HyperCard stack. The
  new MacDefender package  will be made available as soon as NASIRC has
  acquired version 3.4.1 of Disinfectant  (a bug has been discovered in
  version 3.4 of Disinfectant,  which was released  in response to this
  new virus).


  NASIRC will continue to monitor the situation and will post additional
  information as it becomes available.   If you have any difficulties in
  acquiring MacDefender  or have a question about this situation, please
  contact NASIRC at any of the venues listed below.

    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    NASIRC ACKNOWLEDGES: Gene Spafford of the PCERT for forwarding this
    information in a rapid and timely manner.
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

     ===============================================================
       For further assistance, please contact the NASIRC Helpdesk:
          Phone: 1-800-7-NASIRC             Fax: 1-301-441-1853
                    Internet Email: nasirc@nasa.gov
           24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
                       STU III: 1-301-982-5480
     ===============================================================
     This bulletin may be forwarded without restriction to sites and 
            system administrators within the NASA community.

     The NASIRC online archive system is available via anonymous ftp.
     Just ftp to nasirc.nasa.gov and login as anonymous.  You will be
     required to enter your valid e-mail address.  Once there you can
     access the following information:

         /toolkits           ! contains automated toolkit software
         /bulletins          ! contains NASIRC bulletins
       
     Information maintained  in these directories  is be updated on a
     continuous basis with relevant software and information. Contact 
     the NASIRC Helpdesk for more information or assistance with tool
     kits or security measures.

                            -----------------

    PLEASE NOTE: Users outside of the NASA community  may receive NASIRC
    bulletins. If you are not part of the NASA community, please contact
    your agency's response team to report incidents.  Your agency's team
    will coordinate  with NASIRC,  who will  ensure the  proper internal
    NASA team(s)  are notified.   NASIRC is  a member  of  the  Forum of
    Incident Response and Security Teams (FIRST), a world-wide organiza-
    tion which provides for coordination between incident response teams
    in handling computer-security-related issues.  You can obtain a list
    of FIRST  member organizations  and their  constituencies by sending
    email to   docserver@first.org   with an empty  "subject" line and a
    message body containing the line "send first-contacts".