| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4695.1 | Security | BBRDGE::LOVELL | | Thu Jul 04 1996 13:13 | 9 |
| Greg,
Standard procedure for *ANY* security related incident is to
contact the security response team. Given that most of the US
are out for the next 2 days, I'd recommend that you contact
European Security straight away. E-Mail to SEC_OPS@VBO
/Chris.
|
| 4695.2 | | BBRDGE::LOVELL | | Thu Jul 04 1996 13:19 | 5 |
| I've confirmed the virus is present in that file and as I
couldn't contact Greg by 'phone, I've passed the details
to Security Operations.
/Chris.
|
| 4695.3 | Please ! Use the right channels | VARDAF::BERBIGIER | No known policy forbids common sense | Thu Jul 04 1996 15:19 | 9 |
| I would stress Chris' answer.
It is a very good intention to try and inform users of a security
incident, but we've lost a few hours due to the fact the
incident escallation procedure has not been followed.
How many customers have been infected during this delay ?
Pierre
|
| 4695.4 | | WOTVAX::HILTON | http://blyth.lzo.dec.com | Thu Jul 04 1996 15:22 | 9 |
| Pierre,
>> It is a very good intention to try and inform users of a security
>> incident, but we've lost a few hours due to the fact the
>> incident escallation procedure has not been followed.
I had no idea what the escallation procedure was, hence this note.
Without the notes conf, and Chris' answer, I'd still be asking around
as to what to do.
|
| 4695.5 | Document no longer available | TROOA::RITCHE | From the desk of Allen Ritche... | Thu Jul 04 1996 17:27 | 17 |
| Indeed that document contains the Winword/Concept macro virus.
Realizing today is July 4, I just called the emergency hotline in the
U.S. as noted in our security web page http://www-security.mko.dec.com
They advised me that the issue has already been reported and is being
worked by Corporate Security (Phil Bancroft and Bob Lyons).
I trust this is now in good hands. In fact, Bob Lyons just advised me
at 1:25pm that the document has now marked hidden.
Regards,
Allen
CCS IT Security Operations
|
| 4695.6 | file unavailable | POWDML::LYONS | | Thu Jul 04 1996 17:31 | 6 |
| Effective 13:30 hours the Word, pdf, and Postscript version of
AlphaStation Options V96.1.3 is unavailable. Thus if you point to them
you will get a "Not Found" message.
Bob
|
| 4695.7 | Are there any PostScript Viruses? | ZUR01::SUTTER | Who are you ??? - I'm BATMAN !!! | Thu Jul 04 1996 19:47 | 13 |
| > Effective 13:30 hours the Word, pdf, and Postscript version of
> AlphaStation Options V96.1.3 is unavailable.
Could this virus, any virus for that matter, survive .doc -> .ps
translations? -- I doubt it.
What about .doc -> .pdf format translation?
Just wondering ...
Regards,
Arnold
|
| 4695.8 | | VANGA::KERRELL | salva res est | Fri Jul 05 1996 07:08 | 5 |
| re.1:
First I've heard of it, but then I've only been here 12 years.
Dave.
|
| 4695.9 | Incident Reporting Procedure (pointers) | ULYSSE::RAMBEAU | Jean-Paul Rambeau @VBO | Fri Jul 05 1996 08:11 | 9 |
| The Incident Reporting Procedure is available from VTX SECURITY and on the
web at http://www-security.mko.dec.com/
Please directly communicate with the contact people listed in the
Incident Reporting Procedure for any incident such as this one.
Jean-Paul
CCS IT Security Operations.
|
| 4695.10 | Guessing doesn't always work | EEMELI::SIREN | | Fri Jul 05 1996 08:31 | 15 |
|
I bet, that nowadays many places don't have anybody to tell people
about VTX SECURITY (not difficult to guess, but people don't us VTX
that much any more) or even less about the security web address.
We should improve our naming practices for important information and/or
in TCP/IP world move all important info under the same subdomain
(das.dec.com seems to be a good candidate) and/or arrange a single
effective search engine with garanteed visibility to important info
(altavista.pa.dec.com? (should it be altavista.das.dec.com)).
--Ritva
|
| 4695.11 | Quality Improvement Opportunity | BBPBV1::WALLACE | Unix is digital. Use Digital UNIX. | Fri Jul 05 1996 10:03 | 14 |
| Hiding the PS and PDF versions is probably overkill. This virus applies
only to the .DOC version, as it uses Word's facility of running a
"program" (a macro) when a document is read in. So far as I know,
there's no real damage a .PS can do, and probably no real damage a .PDF
can do. (But I'm not claiming to represent Corporate Security).
There have been incidents of this nature (WinWord/Concept) with
documents in the Integrated Repository before. If we really were
integrated, the Web folks would use the IR as source, and the IR folks
would virus-scan anything PC-related before allowing it in, and we
wouldn't have any problems like this.
regards
john
|
| 4695.12 | Some Ideas | GIDDAY::lap8eth.stl.dec.com::THOMPSONS | Welcome to the Jungle | Fri Jul 05 1996 10:20 | 7 |
| Why not create a mail account
security@dec.com
and security.dec.com or www-security.dec.com
Cheerz
|
| 4695.13 | postscript nots safe | EVTISA::ES_COLAS | waiting for openMAC axp ;-) | Fri Jul 05 1996 11:14 | 5 |
| Re.11 ) A .ps file is a postscript program that may damage (need hardware
intervention) printer. So It's may arrive...
rgds
Yann
|
| 4695.14 | | COMICS::CORNEJ | What's an Architect? | Fri Jul 05 1996 16:49 | 6 |
| re .11,
Sounds like most .PS files I print :-)
Jc
|
| 4695.15 | Handled | MINOTR::BANCROFT | | Mon Jul 08 1996 18:43 | 14 |
| The 226-7974 DTN phone always has the on-call security consultant
beeper schedule. The number is in many places, like VTX Secutity
and the Security Web pages.
One of us is always ready and set up to handle such problems 7 days
a week, 24 hours a day. Please let us know of problems like this as
quickly as you can. In some cases, (like the spread of a virus)
speed is important.
Phil Bancroft
PS: - quite right - this virus spreads through the source language
(.DOC or .DOT) files only. The print files (.PS or .EPS) do not
carry the macros. There IS a printer virus, but this in not it.
Naturally this virus can be mailed, net copied, or sneaker-netted.
|
| 4695.16 | marketing wizardry? | DELNI::MURPHY | | Mon Jul 08 1996 21:12 | 3 |
| Just what is the "concept" virus anyway? Does it slow down your PC to a
screeching halt and then pop up a little window that says that you
should buy an Alpha? What a great idea... =)
|
| 4695.17 | | CUSTOM::ALLBERY | Jim | Mon Jul 08 1996 21:27 | 6 |
| The "concept" virus (I have no idea how it got that name) is a set of
macros that keep you from doing a "save as" option by forcing your
document to be a document template. It's annoying but relatively
harmless. Once you get a document with it, it infects your normal
document template so that any document you create afterwards is also
infected.
|
| 4695.18 | | BUSY::SLABOUNTY | Being weird isn't enough | Mon Jul 08 1996 21:47 | 5 |
|
That's a clever concept for a virus.
Hmmm, maybe that's how it got its name.
|
| 4695.19 | I'm waiting until the bean counters decide to shutdown DAS | STEVMS::PETTENGILL | mulp | Mon Jul 08 1996 23:15 | 11 |
| Policy prohibits a www.dec.com because we might want to setup an office in
Wala Wala, Washington and assigning www to a node address would prevent being
able to send mail to someone at site www using person@www or person@www.dec.com.
The idea of using generic or meaningful names based on common conventions or
names would run counter to policies defined based on simplifying operations.
Operational considerations are far more important than human factors.
It makes far more sense for SEG to refer to Bemerton, Washington than to
the Semiconductor Engineering Group. Heaven forbid the possibility that
an organization would usurp the _obvious_ site code "SEG" for Bemerton.
|
| 4695.20 | Walla Walla and Bremerton | LOWELL::MIDDLETON | John | Tue Jul 09 1996 05:57 | 4 |
| FWIW, the two cities are Walla Walla and Bremerton. I'm originally
from Bremerton.
John
|
| 4695.21 | | WOTVAX::HILTON | http://blyth.lzo.dec.com | Tue Jul 09 1996 09:31 | 5 |
| Could someone please re-assue me that me do virus check all documents
before we publish them in the IR or externally on the web, and that
this was an isolated incident, that got through the net?
Greg
|
| 4695.22 | | HELIX::SONTAKKE | | Tue Jul 09 1996 13:11 | 6 |
| RE: .19
You seem to have lot confidence with Digital to think that we might be
*opening* a new office in future.
- Vikas
|
| 4695.23 | | USCTR1::SIGEL | Flock of Sigels | Tue Jul 09 1996 13:54 | 5 |
| I got affected by the virus, it altered my Microsoft Internet Assistant
and my clip art gallery in Power Point. I had to re-install both
applications.
Lynne S.
|
| 4695.24 | ex | PULMAN::CROSBY | | Tue Jul 09 1996 14:14 | 8 |
| Re:.17
I beg to differ. This virus is anything BUT harmless. I caught it
over the Holidays (Christmas, that is), and it crashed my C drive.
MacAfee will find and eradicate it, and the network ops people have a fix.
If you have it, get rid of it as soon as possible!
gc
|
| 4695.25 | | SMURF::PBECK | Paul Beck | Tue Jul 09 1996 14:15 | 2 |
| There is more than one variant of the Concept virus. The original
was fairly innocuous; the later version(s) less so.
|
| 4695.26 | | USCTR1::SIGEL | Flock of Sigels | Tue Jul 09 1996 15:10 | 5 |
| Best bet is whenever information is downloaded off the internet scan it
with F-PROT for virus.
Lynne S
|
| 4695.27 | | QUARK::LIONEL | Free advice is worth every cent | Tue Jul 09 1996 15:49 | 4 |
| Until recently, F-Prot couldn't find Word macro viruses. Make sure whatever
virus protection you use is up to date.
Steve
|
| 4695.28 | known about for at least 10 months | FIREBL::LEEDS | From VAXinated to Alphaholic | Tue Jul 09 1996 16:03 | 239 |
| Here's what the Sales Workbench folks got about the CONCEPT Virus last year.
Arlan
�
I N T E R O F F I C E M E M O R A N D U M
Date: 05-Sep-1995 02:56pm PDT
From: Corporate Information Security
SECURITY@A1@SALES@AKO
Dept:
Tel No:
TO: See Below
Subject: Microsoft Word Macro Virus
From: Steve Dancause @MSO, DTN 223-8717
�
DIGITAL INTERNAL USE ONLY
*********************** CORPORATE SECURITY *************************
* *
* CORPORATE INFORMATION SECURITY GROUP *
* September 5, 1995 *
* [DO NOT DELETE THIS BANNER] *
* *
********************* SECURITY ADVISORY #95-02 **********************
This security advisory is directed to all Personal Computer users,
internal support personnel and any other appropriate internal
organizations within Digital Equipment Corporation.
Distribution is via Reader's Choice to all employees. Managers are
responsible for dissemination to other Digital workers not covered
by employee-wide Reader's Choice mailings (e.g. contractors).
SUBJECT: Microsoft Word Macro Virus
A virus which affects Microsoft WORD documents has been reported
recently and confirmed to exist. This virus replicates on all
platforms which use Microsoft WORD 6, i.e. MS-DOS, Windows,
Windows 95, Windows NT and Macintosh.
As with many viruses this one has been given many different names,
in this instance: "Word Macro Virus", "WinWord.Concept", "WW6",
"WW6macro" and "Prank Macro Virus". The virus uses 'macros'
(embedded executable instructions) to replicate and infect WORD 6
files.
Although this is a cause for concern, it is NOT cause for panic.
This particular exploitation of macro capability is simple to
identify, and easy to eradicate.
As with all Personal Computer viruses, it is imperative that
infections are contained and eliminated. For example, any person
using WORD 6 must take precautions to assure that these files are
not infected, especially if files are to be transferred outside of
Digital.
To eliminate this virus, the following procedure must be implemented.
�
REQUIRED ACTIONS
1. TO IDENTIFY THIS PARTICULAR VIRUS INFECTION: When an infected
WORD file is loaded, a dialogue box titled "Microsoft Word"
appears, containing only a "1" and an OK button. If you have NOT
seen this when opening a WORD document, your system may be OK
for now, but be aware that any strange behavior should be
reported. See contact information below.
2. IF YOU HAVE AN INFECTED FILE, or to be certain that the WORD
environment is virus free, copy the Microsoft-provided file
SCAN831.DOC (August 31st 1995 version) to a working directory
from:
MINOTR::USER6:[VIRUS.WORD]
or
VARDAF::EUROPUB:[VIRUS_SCANNER]
Open SCAN831.DOC (or the latest version) in the same way as
opening any other WORD document to invoke a scanner/cleaner
for .DOC files. Easy to follow instructions are included in
SCAN831.DOC. This tool will establish if normal.dot
(template file for normal documents) is infected, and then
take action accordingly. SCAN831.DOC also displays informative
progress messages.
3. Users can also copy file WD1215.DOC to obtain a good description
and graphic illustration of the virus symptoms and solution.
The WD1215 file (4-pages) will be especially helpful for support
organizations advising internal and external customers.
4. It is recommended that all WORD users disable the ability for
WORD to update normal.dot, without prompting for approval.
To do this: click on "Tools", then "Options", then "Save" and
finally check the "Prompt to Save Normal.dot" box.
5. Future versions of Corporate licensed virus protection software
(e.g. F-PROT and SWEEP) will include detection capability for
"Word Prank".
6. Per Corporate Security Standard 211-04, all virus infections
must be reported according to established procedures. See contact
information below.
�
AWARENESS NEEDED:
1. It is important to understand that Personal Computer viruses can
be a serious risk to Digital.
To reduce the risks, do not use diskettes or files from an
unknown/uncontrolled environment. Beware when downloading any
files which may contain programs or executable instructions.
Frequently run the latest version of the Digital approved
anti-virus software (F-PROT and/or SWEEP). Always have backup
and a contingency plan in place to recover personal computer data.
2. Users and support personnel should be aware that the possibility
of undesirable or damaging effects can exist in an environment or
application that provides uncontrolled automatic execution of
computer instructions in the form of macros, command scripts,
learned keystrokes and the like, especially when such embedded and
possibly hidden code is provided by another party.
3. Microsoft is investigating ways to build some type of protection
into the MS WORD product itself. When available, these protection
features should be enabled.
Microsoft Word SCAN831.DOC Tool and Information Pointers
========================================================
DECnet: MINOTR::USER6:[VIRUS.WORD]SCAN831.DOC (doc virus scan/clean)
MINOTR::USER6:[VIRUS.WORD]WD1215.DOC (more information)
VARDAF::EUROPUB:[VIRUS_SCANNER]SCAN831.DOC
VARDAF::EUROPUB:[VIRUS_SCANNER]WD1215.DOC
Latest support information on WORD and the scanner is available from
Microsoft via the Web:
http://www.microsoft.com/msoffice/prank.htm
or
http://www.microsoft.com/kb/softlib/Office/q_word.htm
(Look for the "Prank Macros" Application Note - Windows or MAC as needed)
The information as of this date applies to Microsoft Word versions 6.x
for Windows, Microsoft Word versions 6.0 and 6.0.1 for the Macintosh,
Microsoft Word version 6.0 for Windows NT, and Microsoft Word version 7.0
for Windows 95.
DIGITAL INTERNAL USE ONLY
�
CORPORATE INFORMATION SECURITY GROUP
SECURITY ADVISORY #95-02
****
CONTACT INFORMATION:
ASIA/PACIFIC
Your Regional security contact or as per VTX SECURITY_AP
EUROPE
Your regional/country security contact as per VTX SECURITY_EUROPE or
EISOG (European Information Security Operations Group) Contact -
EUROSEC @VBE / EISOG Hotline, DTN 828-6328
AMERICAS
Your regional security contact or as per VTX SECURITY
CORPORATE
CISG (Corporate Information Security Group) as per VTX SECURITY or
contact - CISG @MSO / CISG Hotline, DTN 223-8900
INTERNAL WWW SERVER
Digital Information Security Entry Point
http://www.security.mro1.dec.com/
VIDEOTEX SERVERS
VTX SECURITY (VTX SECINFO)
VTX SECURITY_AP
VTX SECURITY_EUROPE
NOTESFILES
MINOTR::SECURITY_ADVISORY (CISG Security Advisories and Bulletins)
POWDML::PC_SECURITY (Personal Computer Security)
DIGITAL INTERNAL USE ONLY
�
CORPORATE INFORMATION SECURITY GROUP
SECURITY ADVISORY #95-02
*****
NOTE:
The only authorized source of computer/network security related
advisories and bulletins for Digital is the Corporate Information
Security Group. CISG security advisories and bulletins are distributed
through the geography, country and business security contacts within
Digital Equipment Corporation.
Please advise your system managers and users of Digital's computers and
networks that any security warnings, alerts, advisories, and bulletins,
especially those requiring responsive action on their part, are the
explicit responsibility of the Corporate Information Security Group.
If an internal or external advisory or bulletin is received from other
sources and no information on the topic has been received from CISG,
please contact our group at DTN 223-8900. This allows a single focus for
all security advisory and bulletin information for our Company. All
security advisories and bulletins can be found in VTX SECURITY or VTX
SECURITY_EUROPE.
DIGITAL INTERNAL USE ONLY
|
| 4695.29 | Which virus scanner(s) ???? | CHEFS::HARVEY | Baldly going into the unknown... | Tue Jul 09 1996 16:24 | 11 |
| Rather beggars the question which virus detecting system must we use ?
From what I see there are several offerings available - F-Prot, Norton, Dr
Solomon (?), Microsoft etc. Do they all see all the known viruses ? I doubt
they're all in synch with all active viruses....
From the end user side of life which scanners should we be running ?
Visions of spending all day scanning files with a whole range of tools !!!!
Rog
|
| 4695.30 | | QUARK::LIONEL | Free advice is worth every cent | Tue Jul 09 1996 16:32 | 9 |
| For personal use, I find Norton to be the best, based on several comparison
reviews I have seen. The better scanners do provide monthly updates (most
for free by Internet, CompuServe, etc.) and these often include added
capabilities to detect and remove new kinds of viruses.
Microsoft Antivirus (gone as of Windows 95) is worthless. On W95, McAffee
ViruScan has some serious holes which would lead me to recommend against it.
Steve
|
| 4695.31 | | USCTR1::SIGEL | Flock of Sigels | Wed Jul 10 1996 15:36 | 4 |
| F Prot is pretty good, it located the files and I deleted them real
fast.
Lynne S.
|
| 4695.32 | safe viewing | NETCAD::ROLKE | Interrupt driven Herefords | Thu Jul 11 1996 14:15 | 7 |
| In the August edition of Windows Magazine the cover story is about
Safety on the Net. David Methvin suggests (page 176 sidebar) a
method for Safe Viewing of Word documents: install the Word and Excel
viewers and use them as your default viewers.
The viewers open the documents in half the time and they don't execute
the macros so you don't get any Word viruses.
|