From harris@i7.msi.umn.edu Fri Aug 2 06:37:07 1996 Received: from s1.msi.umn.edu (root@s1.msi.umn.edu [128.101.24.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id GAA05483 for ; Fri, 2 Aug 1996 06:36:44 +1000 Received: from i7.msi.umn.edu (harris@i7.msi.umn.edu [128.101.27.57]) by s1.msi.umn.edu (8.7.5/8.6.9) with ESMTP id PAA22570 for ; Thu, 1 Aug 1996 15:30:40 -0500 (CDT) Received: from localhost (harris@localhost) by i7.msi.umn.edu (8.7.5/8.6.9) with SMTP id PAA17987 for ; Thu, 1 Aug 1996 15:36:29 -0500 (CDT) Date: Thu, 1 Aug 1996 15:36:29 -0500 (CDT) From: Darryl Harris To: best-of-security@suburbia.net Subject: New PC Virus (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII >Date: Thu, 1 Aug 1996 11:02:57 -0500 (CDT) >Message-Id: <199608011602.LAA23485@catena.soils.umn.edu> >From: John Ladwig >To: comp-sec@unet.unet.umn.edu >Subject: New PC Virus [forwarded from Dale Swanson] > >This sounds consistent with the capabilities and methods of MS-Word >trojan/viruses. Beware. > >------- start of forwarded message (RFC 934 encapsulation) ------- >- ---------------------------------------------------------- > >My computer Department in Guidant has identified a new Word Macro >virus, please feel free to forward this message to the faculty group >if you deem it appropriate. > >Best regards, > >Julio C. Spinelli >Adjoint Professor UMN >Head CHF Research GUIDANT > >A new and destructive Word Macro Virus has been identified!!! > >The virus name is "MDMA" and at this point we have not detected its >presence within the Guidant Global network. However, this does not >mean we are protected from infection at any time. The Guidant IS >staff is working to prevent the spread of this virus. We are >recommending that all users check their computer for possible >infection, following these instructions: > >1. Start Microsoft Word. >2. Select the "Tools" menu option. >3. Select the "Macro..." option from "Tools" >4. Check the list of Macros; if you have a macro named "AutoClean" you >are infected with the MDMA virus. 5. If you do not have the >"AutoClean" macro, you are NOT infected with MDMA virus. > >This virus activates the first of every month. It will insert a >command in the AUTOEXEC.BAT file to delete all files and directories >on the C: Drive. To help prevent this, we would like you to make the >AUTOEXEC.BAT file 'Read Only' using the following instructions, until >further notice. This will prevent the virus from modifying the >AUTOEXEC.BAT file and from destroying any data on the C: Drive. > > > >Windows 3.1 Users: >Step Action >1 From Windows, Select the File Manager Icon. >2 Select C:\ . >3 Highlight the AUTOEXEC.BAT file. >4 Select 'File' from the top menu options. >5 Select 'Properties'. >6 In the attributes section, click the Read Only box. >7 Click OK. > > > >Windows 95 Users: >Step Action >1 Select Windows Explorer >2 Select C:. >3 Highlight the AUTOEXEC.BAT file >4 Select 'File' from the top menu options. >5 Select 'Properties'. >6 In the attributes section, click the Read Only box. >7 Click OK. > > >Note: If you are installing software that rights to the AUTOEXEC.BAT >file, you will need to clear the 'Read Only' attribute before >installation and then re-flag it when complete. > >------- end ------- >