**************************************************************************
Security Bulletin 9206                  DISA Defense Communications System
February 24, 1992           Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities.  Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using 
login="anonymous" and password="guest".  The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g., scc/ddn-security-9206).
**************************************************************************

                     New Macintosh Virus Discovered

Virus: MBDF A
Damage: minimal, but see below
Spread: may be significant
Systems affected:  Apple Macintosh computers.  The virus spreads on 
                   all types of systems except MacPlus systems and
                   (perhaps) SE systems; however, it may be present 
                   on MacPlus and SE systems and not spread.

A new virus, currently named "MBDF A", has been discovered on Apple
Macintosh computer systems.  The virus does not intentionally cause
damage, but it does spread widely.  Instances of the virus have been
found at a number of sites worldwide.

The virus has been discovered in games at several archive sites.
At those sites, the games "Obnoxious Tetris" and "Ten Tile Puzzle" are
definitely infected.  It is possible that other files may be infected
at some archive sites.  You should be especially suspicious of any games
named "tetris-rotating" or "Tetricycle".  

The virus does not necessarily exhibit any symptoms on infected
systems.  Some abnormal behavior has been reported that may possibly be
traced to the virus.  These include Mac crashes and malfunctions in 
various programs.

Some specific symptoms include:

    * Infected Claris applications will indicate that they have
      been altered and will refuse to run.

    * The "BeHierarchic" shareware program ceases to work correctly.

    * Some programs will crash if something in the menu
      bar is selected with the mouse.

The virus works under both System 6 and System 7.

If you have downloaded any files from an archive site recently,
especially games, please do not use them or distribute copies of them
to anyone else until you are certain they are not infected.
Furthermore, we very strongly recommend that you DO NOT get any files
from the archive sites until the moderators at those sites have had an
opportunity to remove any infected files.

Currently, the virus is not found by (or evades) most anti-virus
tools.  Authors of all the major Macintosh anti-virus tools --
including commerical products such as SAM, Rival and Virex, and
shareware and freeware programs such as Disinfectant, Gatekeeper, and
Virus Detective -- have been informed of this new virus.  All are
planning to release updates to their software within the next few
days.  These releases will be through the normal distribution
channels.

Specific information on some of these products follows:
 
    Tool: Disinfectant
    Revision to be released: 2.6
    Where to find: usual archive sites and bulletin boards --
                   ftp.acns.nwu.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, AppleLink, 
                   America Online, CompuServe, Genie, Calvacom,
                   MacNet, Delphi, comp.binaries.mac
    When available: (expected) late 2/21/92

    Tool: Rival
    Revision to be released: 1.1.10
    Where to find it: AppleLink, America Online, Internet, Compuserve.
    When available: 2/21/92
    Other info: The only change with 1.1.9 is the ability to detect
                this vaccine (MBDF A).

    Tool: Virex INIT and application
    Revision to be released: 3.6 (for both products)
    Where to find: Microcom, Inc (919) 490-1277
    When available: User definable virus string available 2/21/92
                    3.6 versions available 2/24/92
    Comments:
    Virex 3.6 (app and INIT) will detect and repair the virus.  All
    Virex subscribers will automatically be sent an update on
    diskette.  All other registered users will receive a notice with
    information on how to update prior versions so that they will 
    be able to detect MBDF.  This information is also available on 
    Microcom's BBS.  (919)419-1602.

    Tool: Virus Detective
    Revision to be released: 5.0.1
    Where to find: Usual bulletin boards will announce a new search
                   string.  Registered users will also get a mailing 
                   with the new search string.
    When available: now (2/20/92) 
    Comments: search string is 
              "Resource MBDF & ID=0 & WData A9ABA146*4446#4A9A0"


Special thanks to the people at Claris who included self-check code
in their Macintosh software products.  Their foresight resulted in
an early detection of the virus and has thus helped the entire Mac
community.  We strongly encourage other vendors to consider doing the
same with their products.

The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University
as the author of this document.

****************************************************************************

The point of contact for MILNET security-related incidents is the
Security Coordination Center (SCC).

E-mail address: SCC@NIC.DDN.MIL

Telephone: 1-(800)-365-3642
           NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,
           Monday through Friday except on federal holidays.

****************************************************************************