********************************************************************** DDN Security Bulletin 02 DCA DDN Defense Communications System 05 Oct 89 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-nn (where "nn" is the bulletin number). ********************************************************************** COLUMBUS DAY / OCTOBER 12TH / FRIDAY THE 13TH / DATACRIME VIRUS 1. Recently, there has been considerable attention given to a family of MS/DOS-PC viruses with many names: Columbus Day, October 12th (later redesignated October 13th), Friday the 13th, and DataCrime. According to the Computer Virus Industry Association, there have been only SEVEN confirmed U. S. "sightings" to date. Based on this, there may be only a few dozen sites affected. 2. Normally the SCC would not be involved with a personal computer virus incident (unless it was propagated via the DDN). However, this virus has received extensive media coverage, necessitating a DDN Security Bulletin to answer some commonly asked questions. + + + + + + + + + + + + + + + + + + + + + + + + Q: What is known about this Columbus Day/DataCrime virus? A: There are several variants of DataCrime. They are designated "1168", "1280", and "DataCrime II" (or "1514"); this naming convention is based on the number of bytes each added to the .COM files it has infected. DataCrime II infects both .EXE and .COM files. Q: How does DataCrime spread? A: The DataCrime Viruses are designed to infect via diskette sharing. There is no network component (unlike the infamous November Internet Worm), therefore they CANNOT traverse the DDN unassisted. The only way a DataCrime virus can be spread through a network is by FTP'ing an infected file into a PC and running it. Q: What is the result? A: On or after Friday, 13 October 1989, these software timebombs will reformat cylinder 0 of any infected hard disk (drive C:) and display the message, "DATACRIME VIRUS RELEASED: 1 MARCH 1989". The infected PC cannot boot from drive C:, and all data on it is unreachable. Q: How can DataCrime (and other viruses) be stopped? A: The National Institute of Standards and Technology (NIST) has recently issued guidelines for controlling malicious software in various computer environments, including PCs and networks. The SCC has obtained an electronic copy of NIST Special Publication 500-166, "Computer Viruses and Related Threats: A Management Guide" by John P. Wack and Lisa J. Carnahan. It may be obtained via FTP (or Kermit) from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The pathname is SCC:NIST-001. **********************************************************************