SECURITY BULLETIN 9414
Vladimir Vrabec
vrabec at cs.felk.cvut.cz
Thu May 12 12:55:36 CEST 1994
Vazeni pratele,
NIC.DDN.MIL zname jako drivejsi informacni centrum Internetu. Po prebrani
jeho funkci pocitaci domeny "internic.net" pomalu na nej zapominame.
Pripojene soubory
FTP://anonymous:guest@nic.ddn.mil/scc/ddn-security-9414.
FTP://anonymous:guest@nic.ddn.mil/scc/ddn-security.index
jsou pripominkou jeho uzitecnosti i dnes. Zdravi
Vladimir Vrabec
==========================================================================
FTP://anonymous:guest@nic.ddn.mil/scc/ddn-security-9414.
==========================================================================
Date: Mon, 9 May 1994 07:33:17 -0400
Subject: DDN Security Bulletin - 9414
**************************************************************************
Security Bulletin 9414 DISA Defense Communications System
May 6, 1994 Published by: DDN Security Coordination Center
(SCC at NIC.DDN.MIL) 1-(800) 365-3642
DEFENSE DATA NETWORK
SECURITY BULLETIN
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
using login="anonymous" and password="guest". The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/ddn-security-9302).
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the NASA !
! Automated Systems Incident Response Capility team and is being !
! relayed unedited via the Defense Information Systems Agency's !
! Security Coordination Center distribution system as a means !
! of providing DDN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
The following bulletin was released to the NASA community by NASIRC:
NASIRC BULLETIN #94-17 May 5, 1994
Dangerous New DOS Trojan ("CD-IT.ZIP") Found
===========================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================
NASIRC recently received information about a potential "trojan horse"
program being distributed on the Internet as "CD-IT.ZIP"
SYSTEMS AFFECTED:
This trojan apparently only runs on "IBM compatible" systems; DOS is
definitely susceptible, and Windows might be.
THE PROBLEM:
According to information posted in several Clarinet newsgroups, a new
and dangerous trojan is showing up at publicly-accessible Internet
sites. This trojan, called CD-IT.ZIP, supposedly gives your PC full
read/write capabilities on its CD-ROM drive. The CD-IT documentation
states the program was authored by Joseph S. Shiner, couriered by HDA
and copyrighted by Chinon Products. The problem came to light when a
user who had downloaded the file from a FidoNet server in Baltimore,
MD, realized that it is IMPOSSIBLE to make a standard CD-ROM drive
writable with a small software utility and reported it to Chinon.
Other suspicious indicators were obscenities in the documentation and
a line indicating that HDA stands for "Haven't Decided a Name Yet."
In a statement to Newsbytes, Chinon America stated it has no division
as named in the documentation. Chinon engineers also report that if
CD-IT is actually run, it locks up the computer; it will then remain
in memory (even after reboot) and will corrupt critical system files
on the hard disk as well as any available network volumes. Chinon's
R&D Director stated that he has not heard of any systems that have
(yet) been affected by this trojan.
THE FIX:
Although there is no real "fix" for a trojan or virus, there are two
important points NASIRC wishes to make:
1) DO NOT DOWNLOAD THE FILE "CD-IT.ZIP" FROM ANY ON-LINE ARCHIVES!
2) DO NOT RUN THE "CD-IT" UTILITY!
Once a system is infected, the only way to eradicate the virus is to
perform a high-level reformat of the hard drive!
To quote the Clarinet post, "Chinon is encouraging anyone who might
have information that could lead to the arrest and prosecution of the
parties responsible for CD-IT to call the company at 310-533-0274. In
addition, the company has notified the major distributors of virus
protection software, such as Symantec and McAfee Associates, so they
may update their programs to detect and eradicate CD-IT.
NASIRC will continue to monitor this situation and will post additional
information should it become necessary. If you have any questions about
this bulletin, please contact NASIRC via any of the venues below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NASIRC ACKNOWLEDGES: Hank Middleton of NASA's Goddard Space Flight
Center for notifying NASIRC of this situation.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
===============================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc at nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
STU III: 1-301-982-5480
===============================================================
This bulletin may be forwarded without restriction to sites and
system administrators within the NASA community.
The NASIRC online archive system is available via anonymous ftp.
You will be required to enter your valid e-mail address as the
"password". Once on the system, you can access the following
information:
~/bulletins ! contains NASIRC bulletins
~/information ! contains various informational files
~/toolkits ! contains automated toolkit software
The contents of these directories is updated on a continuous
basis with relevant software and information; contact the NASIRC
Helpdesk for more information or assistance.
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of
Incident Response and Security Teams (FIRST), a world-wide organiza-
tion which provides for coordination between incident response teams
in handling computer-security-related issues. You can obtain a list
of FIRST member organizations and their constituencies by sending
email to docserver at first.org with an empty "subject" line and a
message body containing the line "send first-contacts".
****************************************************************************
* *
* The point of contact for MILNET security-related incidents is the *
* Security Coordination Center (SCC). *
* *
* E-mail address: SCC at NIC.DDN.MIL *
* *
* Telephone: 1-(800)-365-3642 *
* *
* NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
* Monday through Friday except on federal holidays. *
* *
****************************************************************************
PLEASE NOTE: Many users outside of the DOD computing communities receive
DDN Security bulletins. If you are not part of DOD community, please
contact your agency's incident response team to report incidents. Your
agency's team will coordinate with DOD. The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization. A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver at first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an service to the DOD community. Neither the
United States Government nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government. The opinions of the authors expressed herein
do not necessarily state or reflect those of the United States Government,
and shall not be used for advertising or product endorsement purposes.
----- End forwarded message
==========================================================================
==========================================================================
FTP://anonymous:guest@nic.ddn.mil/scc/ddn-security.index
==========================================================================
;[ddn-security.index] [6-92]
8901 22-Sep-89 DDN SECURITY COORDINATION CENTER OPERATIONAL
8902 05-Oct-89 COLUMBUS DAY / OCTOBER 12TH / FRIDAY THE 13TH / DATACRIME VIRUS
8903 18-Oct-89 W.COM ("WANK") WORM ON SPAN NETWORK
8904 23-Oct-89 HALLOWEEN PRECAUTIONARY NOTE
8905 23-Oct-89 ULTRIX 3.0 BREAK-IN ATTEMPTS
8906 1-Nov-89 SUN RCP VULNERABILITY
9001 25-Jan-90 SECURITY VIOLATION REPORTING
9002 30-Jan-90 SUN SENDMAIL VULNERABILITY
9003 15-Feb-90 SECURITY VIOLATION REPORTING
9004 2-Mar-90 COMPUTER SYSTEM "WELCOME" BANNERS
9005 20-Mar-90 INTERNET INTRUDER WARNING
9006 27-Mar-90 PRECAUTIONARY NOTE
9007 9-Apr-90 FEDERAL INFORMATION PROCESSING STANDARDS AVAILABLE ONLINE
9008 7-May-90 UNISYS U5000 /etc/passwd PROBLEM
9009 16-Aug-90 SunView selection_svc vulnerability
9010 16-Aug-90 Sun Microsystems Customer Warning System Established
9011 3-Oct-90 NeXT's System Software: Four Problems
9012 29-Oct-90 VMS SECURITY PROBLEM
9101 22-Feb-91 SunOS /bin/mail Vulnerability
9102 25-Feb-91 REVISED SunOS /bin/mail Vulnerability
9103 27-Mar-91 Patch Available for SunOS in.telnetd
9104 5-Apr-91 Unauthorized Password Change Requests Via Mail Messages
9105 20-Apr-91 Alert Regarding Masquerading Activities
9106 1-May-91 DEC Ultrix chroot Vulnerability
9107 20-May-91 NeXT rexd, /private/etc, Username me Vulnerabilities
9108 23-May-91 AT&T System V Release 4 /bin/login Vulnerability
9109 23-Jul-91 Patch for SunOS /usr/etc/rpc.mountd
9110 23-Jul-91 Patch for SunOS /usr/lib/lpd
9111 15-Aug-91 ULTRIX LAT/Telnet Gateway Vulnerability
9112 23-Aug-91 Trusted Hosts Configuration Vulnerability
9113 23-Aug-91 DEC ULTRIX /usr/bin/mail Vulnerability
9114 27-Aug-91 SGI "IRIX" /usr/sbin/fmt Vulnerability
9115 11-Sep-91 Mac/PC NCSA Telnet Vulnerability
9116 16-Sep-91 New Patch for SunOS /usr/lib/lpd
9117 18-Sep-91 SunOS SPARC Integer Division Vulnerability
9118 1-Oct-91 Vulnerability of DECnet-Internet gateway software in DEC ULTRIX
9119 1-Oct-91 Active Internet tftp Attacks
9120 21-Oct-91 Re-registration of TAC Users
9121 21-Oct-91 AIX TFTP Daemon Vulnerability
9122 23-Oct-91 /usr/ucb/rdist Vulnerability
9123 7-Nov-91 NETWORK SECURITY TESTING AND MONITORING
9124 5-Dec-91 CERT/CC Generic Security Information
9125 9-Dec-91 SunOS NFS Jumbo and fsirand Patches
9126 19-Dec-91 SunOS OpenWindows V3.0 Patch
9127 19-Dec-91 Hewlett Packard/Apollo Domain/OS crp Vulnerability
9201 22-Jan-92 NeXTstep Configuration Vulnerability
9202 23-Jan-92 TAC Security
9203 4-Feb-92 REGISTRATION OF TAC USERS
9204 10-Feb-92 Michelangelo PC Virus Warning
9205 17-Feb-92 Internet Intruder Activity
9206 24-Feb-92 New Macintosh Virus Discovered
9207 26-Feb-92 AT&T /usr/etc/rexecd Vulnerability
9208 9-Mar-92 AIX REXD Daemon Vulnerability
9209 19-Mar-92 AIX uucp Vulnerability
9210 19-Mar-92 Macintosh INIT 1984 Virus Discovered
9211 1-Apr-92 AIX /bin/passwd Vulnerability
9212 15-Apr-92 Silicon Graphics Computer Systems "IRIX" lp Vulnerability
9213 29-Apr-92 AIX Anonymous FTP Vulnerability
9214 27-May-92 AIX Crontab Vulnerability
9215 27-May-92 SunOS Environment Variables and setuid/setgid Vulnerability
9216 28-May-92 REVISED Patch for SunOS /usr/etc/rpc.mountd Vulnerability
9217 8-Jun-92 SunOS NIS Vulnerability
9218 23-Jun-92 Altered System Binaries Incident
9219 22-Jul-92 Multiple SunOS Vulnerabilities Patched
9220 28-Jul-92 Corrupted Versions of PKZIP Utilities
9221 14-Aug-92 Virus Alert - Aliens4
9222 25-Aug-92 Aliens4 - Epilogue
9223 24-Sep-92 VMS Monitor Vulnerability
9224 6-Oct-92 Hewlett-Packard NIS ypbind Vulnerability
9225 7-Oct-92 TAC Access Control Policy Circular Announcement
9226 19-Nov-92 Revised VMS Monitor Vulnerability - Supersedes 9223
9227 11-Dec-92 Cisco Access List Vulnerability
9228 17-Dec-92 ConvexOS and ConvexOS/Secure Vulnerabilities
9301 14-Jan-93 Revised HP NIS ypbind Vulnerability - Supersedes 9224
9302 21-Jan-93 NeXT NetInfo "_writers" Vulnerabilities
9303 22-Jan-93 NeXT NetInfo "_writers" Vulnerabilities (REVISED)
9304 8-Feb-93 SunOS File/Directory Permissions
9305 16-Feb-93 Commodore Amiga UNIX finger Vulnerability
9306 18-Feb-93 Commodore Amiga UNIX finger Vulnerability (REVISED)
9307 24-Feb-93 OpenVMS and OpenVMS AXP Vulnerability
9308 26-Mar-93 PASSWORD MANAGEMENT
9309 9-Apr-93 wuarchive ftpd Vulnerability
9310 30-Apr-93 Cisco Router Packet Handling Vulnerability
9311 24-May-93 SCO /bin/passwd Vulnerability
9312 16-Jun-93 SunOS/Solaris /usr/lib/expreserve Vulnerability
9313 2-Jul-93 REVISION NOTICE: SunOS/Solaris /usr/lib/expreserve Vulnerability
9314 14-Jul-93 Anonymous FTP Activity
9315 9-Aug-93 UMN UNIX gopher and gopher+ Vulnerabilities
9316 16-Sep-93 Novell LOGIN.EXE Vulnerability
9317 20-Sep-93 SCO Home Directory Vulnerability
9318 30-Sep-93 Automated Scanning of Network Vulnerabilities
9319 22-Oct-93 /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities
9320 5-Nov-93 Sendmail Vulnerability
9321 12-Nov-93 xterm Logging Vulnerability
9322 15-Dec-93 SunOS/Solbourne loadmodule and modload Vulnerability
9323 16-Dec-93 Solaris System Startup Vulnerability
9324 22-Dec-93 Release of Security Profile Inspector (SPI) Version 3.0
9401 7-Jan-94 Sendmail Vulnerability
9402 3-Feb-94 Ongoing Network Monitoring Attacks
9403 4-Feb-94 ASSIST: Ongoing network monitoring attacks
9404 6-Feb-94 ASSIST: Addendum to ASSIST bulletin 94-02, ASSIST 94-02A
9405 14-Feb-94 Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability
9406 15-Feb-94 ASSIST: Actions to be taken by DoD systems affected by
the recent MILNET/Internet intrusions detailed in
ASSIST Bulletin 94-02
9407 22-Feb-94 ASSIST: IBM Antivirus Release 1.04 available for Use
by DoD personnel, first update issued 10 Jan 94
9408 24-Feb-94 IBM AIX Performance Tools Vulnerabilities
9409 14-Mar-94 ASSIST: Vulnerability in cc:Mail 2.0 and 2.1 for Windows
9410 21-Mar-94 MD5 Checksums
9411 21-Mar-94 Writable /etc/utmp Vulnerability
9412 6-Apr-94 Wuarchive ftpd Trojan Horse
9413 14-Apr-94 ftpd Vulnerabilities
9414 6-May-94 Dangerous New DOS Trojan ("CD-IT.ZIP") Found
9415 6-May-94 Macintosh Virus Found on American Vacuum Society
CD-ROM
9416 10-May-94 ASSIST: nVir A Virus Found on CD-ROM
9417 10-May-94 ASSIST: Security vulnerability in Hewlett Packard (HP) UX systems
==========================================================================
More information about the net
mailing list