TUCoPS :: Macintosh :: 9210.txt

Macintosh INIT 1984 Virus Discovered

Security Bulletin 9210                  DISA Defense Communications System
March 19, 1992              Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities.  Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL []
using login="anonymous" and password="guest".  The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/ddn-security-9210).

              *** Macintosh INIT 1984 Virus Discovered ***

Virus: INIT 1984
Damage: high
Spread: minimal
Systems affected: Apple Macintosh computers. All types. 

A new virus, which has been designated "INIT 1984", has been
discovered on Apple Macintosh computer systems. This virus is designed
to trigger if an infected system is booted on any Friday the 13th in
1991 or later years. Damage from the virus includes changing the names
and attributes of a large number of folders and files to random
strings and the actual deletion of a small percentage (< 2%) of files.

The virus infects only system extensions of type "INIT" (also known as
"startup documents"). It does not infect the System file, desktop
files, control panel files, applications, or document files. Because
INIT files are shared less frequently than are applications, and
because of the structure of the virus code, the INIT 1984 virus does
not spread as rapidly as most other viruses.

As of the date of this announcement (3/19/92), we have only a few
reported sightings of this virus, including one from a site in Europe
and one from a site in the USA. In both cases, the virus caused
significant damage when infected Macintoshes were restarted on Friday,
3/13/92. Because only a few reports of damage were received, we have
reason to believe that the virus is not widespread. However, it is
conceivable that this virus might have affected Macintosh systems on
Friday 9/13/91 or Friday 12/13/91 without being recognized as the
cause of the damage.  If you think you may have been a victim of this
virus in 1991, please contact me via e-mail at spaf@cs.purdue.edu.

The current versions of Gatekeeper and SAM Intercept (in advanced and
custom mode) are effective against this virus.  Either program should
generate an alert if the virus is present and attempts to spread to
other files.

The virus affects all types of Macintosh computers. It spreads and
attacks under both System 6 and System 7. On very old Macintoshes
(those with the 64K ROMs), the virus will cause crashes at boot time.

Authors of all major Macintosh anti-virus tools are planning updates
to their tools to locate and/or eliminate this virus. Some of these
are listed below. We recommend that you obtain and run an updated
version of at least one of these programs.

Some specific information on updated Mac anti-virus products follows:

    Tool: Disinfectant
    Status: Free software (courtesy of Northwestern University and
            John Norstad)
    Revision to be released: 2.7
    Where to find: usual archive sites and bulletin boards --
                   ftp.acns.nwu.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, AppleLink, America Online,
                   CompuServe, Genie, Calvacom, MacNet, Delphi,
    When available: (expected) 3/18/92

    Tool: Gatekeeper
    Status: Free software (courtesy of Chris Johnson)
    Revision to be released: 1.2.5
    Where to find: usual archive sites and bulletin boards --
                   microlib.cc.utexas.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, comp.binaries.mac
    When available: (expected) 3/20/92

    Tool: Rival
    Status: Commercial software
    Revision to be released: INIT 1984 Vaccine
    Where to find it: AppleLink, America Online, Internet, Compuserve.
    When available: Immediately.

    Tool: SAM (Virus Clinic and Intercept)
    Status: Commercial software
    Revision to be released: 3.0.7
    Where to find: CompuServe, America Online, Applelink, Symantec's
                   Bulletin Board @ 408-973-9598
    When available: Immediately.  Version 3.0.7 of the Virus
                    Definitions file are also availble.

    Tool: Virex INIT
    Status: Commercial software
    Revision to be released: 3.7 
    Where to find: Microcom, Inc (919) 490-1277 
    When available: Immediately.
    Virex 3.7 will detect and repair the virus. All
    Virex subscribers will automatically be sent an update on
    diskette. All other registered users will receive a notice with
    information to update prior versions to be able to detect
    INIT-1984. This information is also available on Microcom's BBS.
    (919)419-1602, and is given below.

    Virus Name: INIT 1984    Guide Number: 5275840
    Virus Code: 0049  4E49  5410  07C0  96
                3008  1490  7710  002F  2C
                3C49  4E49  5400  0300  1E
                4AA9  AB55  4F81  8090  9A

    Tool: Virus Detective
    Status: Shareware
    Revision to be released: 5.0.3
    Where to find: Usual bulletin boards will announce a new search string.
                   Registered users will also get a mailing
                   with the new search string.
    When available: Immediately.
    Comments: search string is

Resource INIT & Size<4500 & WData 494E#EA994*4954#8A9AB ; For finding INIT1984

     The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University
     as the author of this document.

  *                                                                          *
  *    The point of contact for MILNET security-related incidents is the     *
  *    Security Coordination Center (SCC).                                   *
  *                                                                          *
  *               E-mail address: SCC@NIC.DDN.MIL                            *
  *                                                                          *
  *               Telephone: 1-(800)-365-3642                                *
  *                                                                          *
  *    NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,   *
  *    Monday through Friday except on federal holidays.                     *
  *                                                                          *

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH