NASIRC BULLETIN #94-17 May 5, 1994 Dangerous New DOS Trojan ("CD-IT.ZIP") Found =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received information about a potential "trojan horse" program being distributed on the Internet as "CD-IT.ZIP" SYSTEMS AFFECTED: This trojan apparently only runs on "IBM compatible" systems; DOS is definitely susceptible, and Windows might be. THE PROBLEM: According to information posted in several Clarinet newsgroups, a new and dangerous trojan is showing up at publicly-accessible Internet sites. This trojan, called CD-IT.ZIP, supposedly gives your PC full read/write capabilities on its CD-ROM drive. The CD-IT documentation states the program was authored by Joseph S. Shiner, couriered by HDA and copyrighted by Chinon Products. The problem came to light when a user who had downloaded the file from a FidoNet server in Baltimore, MD, realized that it is IMPOSSIBLE to make a standard CD-ROM drive writable with a small software utility and reported it to Chinon. Other suspicious indicators were obscenities in the documentation and a line indicating that HDA stands for "Haven't Decided a Name Yet." In a statement to Newsbytes, Chinon America stated it has no division as named in the documentation. Chinon engineers also report that if CD-IT is actually run, it locks up the computer; it will then remain in memory (even after reboot) and will corrupt critical system files on the hard disk as well as any available network volumes. Chinon's R&D Director stated that he has not heard of any systems that have (yet) been affected by this trojan. THE FIX: Although there is no real "fix" for a trojan or virus, there are two important points NASIRC wishes to make: 1) DO NOT DOWNLOAD THE FILE "CD-IT.ZIP" FROM ANY ON-LINE ARCHIVES! 2) DO NOT RUN THE "CD-IT" UTILITY! Once a system is infected, the only way to eradicate the virus is to perform a high-level reformat of the hard drive! To quote the Clarinet post, "Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT. NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Hank Middleton of NASA's Goddard Space Flight Center for notifying NASIRC of this situation. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".