MSG: *MSG   6491  
DISTRIB:  *BBOARD
EXPIRES: 10/12/89 21:49:53
Received: from lcs.mit.edu (CHAOS 15044) by AI.AI.MIT.EDU  5 Oct 89 21:49:51 EDT
Received: from BITSY.MIT.EDU by mintaka.lcs.mit.edu id aa18636;
          5 Oct 89 21:41 EDT
Received: from PADDINGTON.MIT.EDU by BITSY.MIT.EDU with SMTP
	id AA07893; Thu, 5 Oct 89 21:41:45 -0400
From: "Ron M. Hoffmann" <hoffmann@bitsy.mit.edu>
Received: by PADDINGTON.MIT.EDU (5.61/4.7) id AA22147; Thu, 5 Oct 89 21:41:38 -0400
Date: Thu, 5 Oct 89 21:41:38 -0400
Message-Id: <8910060141.AA22147@PADDINGTON.MIT.EDU>
To: MIT Network Users <netusers@bitsy.mit.edu>
Cc: bboard@lcs.mit.edu, gii@delphi.mit.edu, infosys@mit.edu
Subject: [DDN Security Bulletin 02] - Columbus Day MS/DOS-PC virus

This may be of general interest to members of the MIT Community;
please circulate this information.

In addition, a copy of the referenced paper: "Computer Viruses and
Related Threats..." is available via anonymous FTP from bitsy.mit.edu
and is stored in the file "/netusers/nist-001".  It is 108Kbytes long.

-Ron Hoffmann
 MIT Network Group

**********************************************************************
 
DDN Security Bulletin 02         DCA DDN Defense Communications System
05 Oct 89               Published by: DDN Security Coordination Center
                                     (SCC@NIC.DDN.MIL)  (800) 235-3155
 
                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN
 
The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest".  The bulletin
pathname is SCC:DDN-SECURITY-nn (where "nn" is the bulletin number).
 
**********************************************************************
 
   COLUMBUS DAY / OCTOBER 12TH / FRIDAY THE 13TH / DATACRIME VIRUS
 
1.  Recently, there has been  considerable attention given to a family
of MS/DOS-PC  viruses  with many  names:   Columbus Day,  October 12th
(later redesignated  October 13th),  Friday the  13th, and  DataCrime.
According to the Computer Virus Industry Association, there have  been
only  SEVEN  confirmed  U. S.  "sightings"  to  date.   Based on this,
there may be only a few dozen sites affected.
 
2.  Normally the SCC  would not  be involved  with a personal computer
virus incident (unless it was propagated via the DDN).  However,  this
virus  has  received  extensive  media  coverage,  necessitating a DDN
Security Bulletin to answer some commonly asked questions.
 
+  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +
 
Q:  What is known about this Columbus Day/DataCrime virus?
 
A:  There  are  several  variants  of  DataCrime.  They are designated
"1168", "1280", and "DataCrime II" (or "1514"); this naming convention
is based on  the number of  bytes each added to the .COM  files it has
infected.  DataCrime II infects both .EXE and .COM files.
 
 
Q:  How does DataCrime spread?
 
A:  The DataCrime Viruses are designed to infect via diskette sharing.
There is no network component  (unlike the infamous  November Internet
Worm),  therefore they  CANNOT traverse the  DDN unassisted.  The only
way a DataCrime virus can be spread through a network is by FTP'ing an
infected file into a PC and running it.
 
 
Q:  What is the result?
 
A:  On or after Friday, 13 October 1989, these software timebombs will
reformat cylinder 0 of any  infected hard disk (drive C:)  and display
the message,  "DATACRIME VIRUS RELEASED: 1 MARCH 1989".   The infected
PC cannot boot from drive C:, and all data on it is unreachable.
 
 
Q:  How can DataCrime (and other viruses) be stopped?
 
A:  The  National  Institute of  Standards  and Technology  (NIST) has
recently  issued  guidelines  for  controlling  malicious  software in
various computer  environments, including  PCs and  networks.  The SCC
has obtained  an electronic copy of  NIST Special Publication 500-166,
"Computer Viruses and Related Threats:  A Management Guide" by John P.
Wack  and  Lisa J. Carnahan.   It may be obtained via FTP  (or Kermit)
from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and
password="guest".  The pathname is SCC:NIST-001.
 
**********************************************************************
-------