NASIRC BULLETIN # 94-11 April 4, 1994 New Macintosh Virus ("INIT-29-B") Discovered =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification that a new Macintosh virus was discovered, called "INIT-29-B". Although this is a new variant of an older, pre-existing virus that dates back to 1988, new measures are required to protect NASA Macintoshes from becoming infected. AFFECTED: All files (applications, system files, "documents") under both System 6.x and 7.x. Applications on an infected Macintosh do *not* have to be opened to become infected. SYMPTOMS: Possible unexpected program failures and/or system crashes; possible printing problems; the system may state locked floppies need "minor repairs" each time one is inserted. DETAILS: This virus was discovered recently in the western USA. Its behavior is similar to that of the original INIT-29 virus that was discovered in 1988. Both INIT-29 strains can infect applications, system files, and documents (data files); an application residing on an infected Macintosh can become infected even if it is not opened. Apparently, only applications and system files (not documents) can spread this virus. INIT-29-B does not seem to cause any damage "on purpose", but problems may arise due to changes it makes in infected files. FIX: NASIRC has produced an updated version of the MacDefender Anti-Viral Tool Kit; it includes version 3.5 of the "Disinfectant" virus hunter- killer and version 3.9 of the "MacHelper" HyperCard stack. The new package is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/toolkits/Mac in two versions: macdefender17.sea is a self-extracting StuffIt archive that must be transferred in binary mode, and macdefender17.hqx is a binhexed version of that file that may be transferred in ascii mode. Please note that the NASIRC FTP server will only allow connections from systems in the .nasa.gov domain and specific other NASA systems in other domains; please contact NASIRC if you have any questions. NASIRC will continue monitoring the situation, and will post additional information as it becomes available. If you have any difficulties in acquiring MacDefender, or have a question about this situation, please contact NASIRC at any of the venues listed below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Gene Spafford of the PCERT for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".