_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE nVir A Virus Found on CD-ROM May 5, 1994 1500 PDT Number E-19 ______________________________________________________________________________ PROBLEM: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94. PLATFORM: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk. DAMAGE: The virus can easily infect your computer. SOLUTION: Check with publisher, do not execute "README." file. ______________________________________________________________________________ VULNERABILITY This CD-ROM is included as part of the American Vacuum Society's ASSESSMENT: (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection. ______________________________________________________________________________ Critical Information about the CD-ROM distribution, and the nVir A Virus CIAC has investigated a report of a virus in the CD-ROM distribution of a technical journal. The Journal of Vacuum Science & Technology A&B (Second Series Volume 12, 1994), which apparently was inadvertently infected with the nVir A virus before production of the CD-ROM. All known copies of this CD-ROM distribution are infected with this Macintosh virus. The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)" The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh. This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system. The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged. CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred. Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided. If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM. The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem. ______________________________________________________________________________ CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E- mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.