JAONEIL@ERENJ.BITNET (Jill A. O'Neil) (02/13/90)
In reply to: >From: Eric Roskos <jer@ida.org> >Subject: Re: "Desktop Fractal Design System Not Infected" >.......... that to >date there is no evidence *which has been presented on VIRUS-L* that the >Desktop Fractal Design System, as shipped from the publisher, is >infected. Here's evidence. An employee at my company purchased the Fractal software directly from Academic Press via phone order. When he placed the call he was told that the order would be delayed a few days until the second printing was complete. When he received the diskette, it was indeed infected with the Jerusalem-B virus. The virus was identified by McAfee Associates VIRUSCAN. The diskette was scanned on a standalone (diskless) PC and we used McAfee's CLEAN55 to disinfect the affected PC. > There is only the claim that it is, and the statement >(secondhand) that the publisher is "aware" of the problem. Once it was determined that the Fractal software diskette was infected, I (as Security Administrator for my work location) called Academic Press (800-321-5068). The person that answered the phone did not have any details about the infection other than to say that yes they are aware of the problem and that the diskette will be replaced if the infected one is returned to them at the following address: 465 So. Lincoln Drive, Troy, Missouri 63379 Academic Press also gave me a phone number for Iterated Systems to call if I wanted further details. When I called the number, I got no answer (I tried the number several times a day for a week). I also called the customer service number listed on the warranty and again got no answer (also called several times a day for a week). Several days after the above, the person who had the infected diskette received a letter from Academic Press. The first paragraph is as follows: "Dear Customer, You recently purchased a software package from Academic Press THE DESKTOP FRACTAL DESIGN SYSTEM written by Michael Barnsley of Iterated Systems, Inc. If the outside of your package has a round sticker in the upper right hand corner which says "VGA AND CGA COMPATIBLE", the enclosed disk is suspected of carrying a computer virus. If there is no sticker on the outside of your package, the disk you received is not defective." The letter goes on to say that AP will replace the software with a "clean version" and that they will "have an expert contact you to discuss remedies in case you have infected your computer system". >It would be helpful to those of us who have to deal with these issues to >know more about details of alleged virus infections, things such as: > - Did you personally open and install the infected disk? No I did not; however, the software was run from the diskette, not installed on the hard drive. The machine on which it was run had not had any software updates in over 3 months (implying that the virus was not previously introduced on the system via other software) and only those executables that had run after the Fractal software was executed became infected with the Jerusalem-B virus. The owner of the fractal disk also copied but DID NOT RUN the Fractal diskette on his own PC at home (this was done prior to his bringing it to the office). VIRUSCAN found the Jerusalem-B virus in the fractal executable only - no other files on his PC were infected. >- Did you write-protect the disk before doing so? unknown but probably not. >- How many copies do you have that you know to be infected? One. A sitewide desktop distribution was done hours after the virus confirmation but no other employees came forward saying they had purchased this software. >- What is the version number of the software? Is there any other > date or serial number information involved? Serial Number 03276 The only other piece of identification is the VGA and CGA compatible sticker on the outside of the package of the 2nd printing of this software that was mentioned above in the letter from Academic Press. Jill A. O'Neil Bitnet: jaoneil@erenj