_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /   
                          \___  __|__  /   \  \___
            _____________________________________________________

INFORMATION BULLETIN

Trojan Attack on Chinon CD-ROM Drives

May 6, 1994 1200 PDT                                            Number E-20
______________________________________________________________________________

PROBLEM:        A Trojan-horse program, CD-IT.ZIP, masquerading as an improved
                driver for Chinon CD-ROM drives, corrupts system files and the
                hard disk.
PLATFORM:       All MS-DOS and PC-DOS machines.
DAMAGE:         Once in memory, the program destroys system files, requiring a
                format of the infected drive to correct.
SOLUTION:       Do not execute the program in CD-IT.ZIP. 
______________________________________________________________________________

VULNERABILITY   The program is not dangerous if not run, but can cause 
ASSESSMENT:     serious damage to a hard drive if it is. As of this date,
                we don't know of any anti-virus software that recognizes it.
______________________________________________________________________________

              Critical Information about the CD-IT.ZIP Trojan

CIAC has received information from Chinon America regarding a Trojan-horse 
program masquerading as an improved driver for Chinon CD-ROM drives. The 
following text is the press release from Chinon America:

   TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan
   Horse" computer virus is on the Internet and is labeled with the
   name of the fourth largest manufacturer of compact disc read-only
   memory (CD-ROM) drives. Chinon America, Incorporated, the company
   whose name has been improperly used on the rogue program, is
   warning IBM and compatible personal computer (PC) users to beware
   of the program known as "CD-IT.ZIP."

   A Chinon CD-ROM drive user brought the program to the company's
   attention after downloading it from a Baltimore, Maryland
   Fidonet server. One of the clues that the virus, masquerading as
   a utility program, wasn't on the up-and-up was that it purports "to
   enable read/write to your CD-ROM drive," a physically impossible
   task.

   CD-IT is listed as authored by Joseph S. Shiner, couriered
   by HDA, and copyrighted by Chinon Products. Chinon America told
   Newsbytes it has no division by that name. Other clues were
   obscenities in the documentation as well as a line indicating
   that HDA stands for Haven't Decided a Name Yet.

   David Cole, director of research and development for Chinon, told
   Newsbytes that the company knows of no one who has actually been
   infected by the program. Cole said the virus isn't particularly
   clever or dynamic, but none of the virus software the company
   tried was able to eradicate the rogue program. Chinon officials
   declined to comment on what antivirus software programs were
   used.

   If CD-IT is actually run, it causes the computer to lock up,
   forcing a reboot, and then stays in memory, corrupting critical
   system files on the hard disk. Nothing but a high-level reformat
   of the hard disk drive will eradicate the virus at this point, a
   move that sacrifices all data on the drive. It will also corrupt
   any network volumes available.

   "We felt that it was our responsibility as a member of the
   computing community to alert Internet users of this dangerous
   virus that is being distributed with our name on it. Even though
   we have nothing to do with the virus is it particularly
   disturbing for us to think that many of our loyal customers could
   be duped into believing that the software is ours," Cole
   explained.

   Chinon is encouraging anyone who might have information that
   could lead to the arrest and prosecution of the parties
   responsible for CD-IT to call the company at 310-533-0274.. In
   addition, the company has notified the major distributors of
   virus protection software, such as Symantec and McAfee Associates,
   so they may update their programs to detect and eradicate CD-IT.

   (Linda Rohrbough/19940429/Press Contact: Rolland Going, The
   Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825;
   Public Contact: Chinon, CD-IT Information, 310-533-0274)

CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not 
install it on your computer. If you have already installed and run the file, 
shut down your machine immediately. Check with your anti-virus vendor to see 
if they have a scanner/repair utility available. If not, boot from a clean, 
locked floppy. If you can still access your hard disk, backup any important 
files that were not included in your last backup, reformat the drive and 
restore it from your last backup.

CIAC is currently obtaining a copy of this Trojan from Chinon, and will make 
any new information about this Trojan available in a future copy of CIAC 
Notes.
______________________________________________________________________________
CIAC would like to thank Chinon America for the information contained in this 
advisory and Brian Lev of NASIRC for forwarding it to us.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest).  Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines.  To subscribe (add yourself) to one of our mailing 
lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and 
valid information for the other items in parentheses:
        subscribe  [list-name]  Full_Name  Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring 
by the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.