Privacy and Legal Notice

CIAC INFORMATION BULLETIN

E-20: Trojan Attack on Chinon CD-ROM Drives

May 6, 1994 1200 PDT 

PROBLEM:   A Trojan-horse program, CD-IT.ZIP, masquerading as an 
           improved driver for Chinon CD-ROM drives, corrupts system 
           files and the hard disk.
PLATFORM:  All MS-DOS and PC-DOS machines.
DAMAGE:    Once in memory, the program destroys system files, 
           requiring a format of the infected drive to correct.
SOLUTION:  Do not execute the program in CD-IT.ZIP. 


VULNERABILITY   The program is not dangerous if not run, but can 
ASSESSMENT:     cause serious damage to a hard drive if it is. As
                 of this date, we don't know of any anti-virus software 
                 that recognizes it.

Critical Information about the CD-IT.ZIP Trojan

CIAC has received information from Chinon America regarding a Trojan-horse program masquerading as an improved driver for Chinon CD-ROM drives. The following text is the press release from Chinon America: 

   TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan
   Horse" computer virus is on the Internet and is labeled with the
   name of the fourth largest manufacturer of compact disc read-only
   memory (CD-ROM) drives. Chinon America, Incorporated, the company
   whose name has been improperly used on the rogue program, is
   warning IBM and compatible personal computer (PC) users to beware
   of the program known as "CD-IT.ZIP."

   A Chinon CD-ROM drive user brought the program to the company's
   attention after downloading it from a Baltimore, Maryland
   Fidonet server. One of the clues that the virus, masquerading as
   a utility program, wasn't on the up-and-up was that it purports "to
   enable read/write to your CD-ROM drive," a physically impossible
   task.

   CD-IT is listed as authored by Joseph S. Shiner, couriered
   by HDA, and copyrighted by Chinon Products. Chinon America told
   Newsbytes it has no division by that name. Other clues were
   obscenities in the documentation as well as a line indicating
   that HDA stands for Haven't Decided a Name Yet.

   David Cole, director of research and development for Chinon, told
   Newsbytes that the company knows of no one who has actually been
   infected by the program. Cole said the virus isn't particularly
   clever or dynamic, but none of the virus software the company
   tried was able to eradicate the rogue program. Chinon officials
   declined to comment on what antivirus software programs were
   used.

   If CD-IT is actually run, it causes the computer to lock up,
   forcing a reboot, and then stays in memory, corrupting critical
   system files on the hard disk. Nothing but a high-level reformat
   of the hard disk drive will eradicate the virus at this point, a
   move that sacrifices all data on the drive. It will also corrupt
   any network volumes available.

   "We felt that it was our responsibility as a member of the
   computing community to alert Internet users of this dangerous
   virus that is being distributed with our name on it. Even though
   we have nothing to do with the virus is it particularly
   disturbing for us to think that many of our loyal customers could
   be duped into believing that the software is ours," Cole
   explained.

   Chinon is encouraging anyone who might have information that
   could lead to the arrest and prosecution of the parties
   responsible for CD-IT to call the company at 310-533-0274.. In
   addition, the company has notified the major distributors of
   virus protection software, such as Symantec and McAfee Associates,
   so they may update their programs to detect and eradicate CD-IT.

   (Linda Rohrbough/19940429/Press Contact: Rolland Going, The
   Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825;
   Public Contact: Chinon, CD-IT Information, 310-533-0274)

CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup.

CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes.

CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]