_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Trojan Attack on Chinon CD-ROM Drives May 6, 1994 1200 PDT Number E-20 ______________________________________________________________________________ PROBLEM: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk. PLATFORM: All MS-DOS and PC-DOS machines. DAMAGE: Once in memory, the program destroys system files, requiring a format of the infected drive to correct. SOLUTION: Do not execute the program in CD-IT.ZIP. ______________________________________________________________________________ VULNERABILITY The program is not dangerous if not run, but can cause ASSESSMENT: serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it. ______________________________________________________________________________ Critical Information about the CD-IT.ZIP Trojan CIAC has received information from Chinon America regarding a Trojan-horse program masquerading as an improved driver for Chinon CD-ROM drives. The following text is the press release from Chinon America: TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP." A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task. CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet. David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used. If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available. "We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained. Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274.. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT. (Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274) CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup. CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes. ______________________________________________________________________________ CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E- mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.