Internet VIRUS alert


Peter E. Yee (yee@ames.arc.nasa.gov)
Wed, 2 Nov 88 23:28:00 PST


We are currently under attack from an Internet VIRUS. It has hit UC Berkeley,
UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. The virus comes in
via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines. It
sends a RCPT TO that requests that its data be piped through a shell. It copies
in a program, compiles and executes it. This program copies in VAX and SUN
binaries that try to replicate the virus via connections to TELNETD, FTPD,
FINGERD, RSHD, and SMTP. The programs also appear to have DES tables in them.
They appear in /usr/tmp as files that start with the letter x. Removing them
is not enough as they will come back in the next wave of attacks. For now
turning off the above services seems to be the only help. The virus is able
to take advantage of .rhosts files and hosts.equiv. We are not certain what the
final result of the binaries is, hence the warning.

I can be contacted at (415) 642-7447. Phil Lapsley and Kurt Pires at this
number are also conversant with the virus.

                                                        -Peter Yee
                                                        yee@ames.arc.nasa.gov
                                                        ames!yee



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT