_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /   
                             \___  __|__  /   \  \___
               _____________________________________________________

                               ADVISORY NOTICE

                         nVir A Virus Found on CD-ROM

May 5, 1994 1500 PDT                                               Number E-19
______________________________________________________________________________

PROBLEM:      The Macintosh nVir A virus has been found in the "README." file 
              on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.
PLATFORM:     Macintosh, all versions of the operating system.  This virus
              has no effect on the MS-DOS files also on the disk.
DAMAGE:       The virus can easily infect your computer.
SOLUTION:     Check with publisher, do not execute "README." file.
______________________________________________________________________________ 

VULNERABILITY This CD-ROM is included as part of the American Vacuum Society's
ASSESSMENT:   (AVS) journal distribution, and is distributed to members of the
              AVS. The virus is not overtly damaging, but does damage the
              system and applications during infection.   
______________________________________________________________________________ 

   Critical Information about the CD-ROM distribution, and the nVir A Virus

CIAC has investigated a report of a virus in the CD-ROM distribution of a
technical journal. The Journal of Vacuum Science & Technology A&B (Second
Series Volume 12, 1994), which apparently was inadvertently infected with the
nVir A virus before production of the CD-ROM.  All known copies of this CD-ROM
distribution are infected with this Macintosh virus.

The CD-ROM can be identified by the following titles printed on the disk:
A title in large bold type: "JVST A&B Vol. 12 1Q94"
A subtitle in small type: "JVST-A Vol 12(1) and 12(2)  JVST-B, Vol 12(1)"

The infected file is "README." in the root directory of the CD-ROM, which is a
DOCMaker Stand-Alone document reader application. This file is the one referred
to in the instruction manual to run for viewing or printing the user manual,
however doing so will infect the system file of your Macintosh.

This disk can also be read via a PC using DOS or Windows, but those systems
will be unaffected, because the nVir A virus is specific to the Macintosh
operating system.

The nVir A virus is a virus that at first only replicates, but after a certain
amount of executions it has a small chance of saying "Don't Panic" if MacinTalk
is installed, or having the computer beep if MacinTalk is not installed.  It is
not an intentionally destructive virus, but does damage the system and
applications during the infection process. Infected systems occasionally crash,
and printing is often delayed or damaged.

CIAC recommends that if you have received this CD-ROM, you immediately mark it
as containing a Macintosh computer virus, and do not run the "README." file in
the root directory. If you are using this disk on a PC system, you do not need
to worry as the PC files on this disk are not infected. If you have already run
this infected file, get a copy of an anti-virus program such as Disinfectant,
and scan your hard disk for infected files. Replace all the infected files that
you can, and repair those that you cannot replace. If your hard disk has been
infected, you must scan every floppy disk that has been in your system since
the infection occurred.

Even though the CD-ROM contains an infected file, the file can only infect your
system if it is executed. The other files on the disk can still be installed
and used without causing an infection. To install the Adobe Acrobat document
reader on your Macintosh, run the Installer program in the
JVST_94:install:mac:reader folder. To install the search utility, run the
JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory.  You can
also view the README.DOC file, which contains the instructions for using the PC
and Windows versions of the reader, using a word processor. Only the "README."
file must be avoided.

If you must access the data in the infected "README." file, carefully copy the
file to a floppy disk and repair it using an anti-virus utility such as
Disinfectant, and then scan it again to insure it has been repaired. If the
repaired file is no longer infected, you may then run it to view the document.
Again, do not run the copy of the "README." file that is on the CD-ROM, as it
is still infected, and cannot be repaired due to the write-only nature of the
CD-ROM.

The publisher has sent a letter to all known recipients of this CD-ROM
distribution explaining this problem.

______________________________________________________________________________ 

CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National
Labs for first bringing this to our attention and for supplying us with a copy
of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to
contact the publishers of this journal.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest).  Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines.  To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
        subscribe  [list-name]  Full_Name  Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.