NO RESTRICTIONS
        _____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                           INFORMATION BULLETIN 

         New Virus on Macintosh Computers: MBDF A

February 25, 1992, 1130 PST            Number C-17

________________________________________________________________________
NAME:     MBDF A virus
PLATFORM: Macintosh computers-except MacPlus and SE (see below)
DAMAGE:   May cause program crashes 
SYMPTOMS: Claris applications indicate they have been altered; some
          shareware may not work, unexplained system crashes
DETECTION &   
ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6,
             VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
________________________________________________________________________
         Critical Facts about MBDF A

A new Macintosh virus, MBDF A, (named for the resource it exploits)
has been discovered.  This virus does not appear to maliciously cause
damage, but simply copies itself from one application to another.
MBDF A was discovered at two archive sites in newly posted game
applications, and has a high potential to be very widespread.

Infection Mechanism

This virus is an "implied loader" virus, and it works in a similar
manner to other implied loader viruses such as CDEF and MDEF.  Once
the virus is active, clean appliacation programs will become infected
as soon as they are executed.  MBDF A infects only applications, and
does not affect data files.  This virus replicates under both System 6
and System 7.  While MBDF A may be present on ALL types of Macintosh
systems, it will not spread if the infected system is a MacPlus or a
Mac SE (although it does spread on an SE/30).

Potential Damage

The MBDF A virus has no malicious damaging characteristics, however,
it may cause programs to inexplicably crash when an item is selected
from the menu bar.  Some programs, such as the shareware
"BeHierarchic" program, have been reported to not operate correctly
when infected.  Applications written with self-checking code, such as
those written by the Claris corporation, will inform the user that
they have been altered.

When MBDF A infects the system file, it must re-write the entire
system file back to disk; this process may take two or three minutes.
If the user assumes the system has hung, and reboots the Macintosh
while this is occuring, the entire system file will be corrupted and
an entire reload of system software must then be performed.

This virus can be safely eradicated from most infected programs,
although CIAC recommends that you restore all infected files from an
uninfected backup.

Detection and Eradication

Because MBDF A has been recently discovered, only anti-viral packages
updated since February 20, 1992 will locate and eradicate this virus.
All the major Macintosh anti-viral product vendors are aware of this
virus and have scheduled updates for their products.  These updates
have all been available since February 24, 1992.  The updated versions
of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6,
SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10.  Some Macintosh
applications (such as the Claris software mentioned above) may contain
self-verification procedures to ensure the program is valid before
each execution; these programs will note unexpected alterations to
their code and will inform the user.

MBDF A has been positively identified as present in two shareware
games distributed by reliable archive sites: "Obnoxious Tetris" and
"Ten Tile Puzzle".  The program "Tetricycle" (sometimes named
"Tetris-rotating") is a Trojan Horse program which installs the virus.
If you have downloaded these or any other software since February 14,
1992 (the day these programs were loaded to the archive sites), CIAC
recommends that you acquire an updated version of an anti-viral
product and scan your system for the existence of MBDF A.

For additional information or assistance, please contact CIAC:

  Karyn Pichnarczyk
  (510) 422-1779 or (FTS) 532-1779
  karyn@cheetah.llnl.gov

Call CIAC at (510)422-8193/(FTS)532-8193.  
Send e-mail to ciac@llnl.gov

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Gene Spafford and John Norstad, who provided
some of the information used in this bulletin.  This document was
prepared as an account of work sponsored by an agency of the United
States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights.  Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or
the University of California, and shall not be used for advertising or
product endorsement purposes.