Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!bionet!apple!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: HALLEN@oregon.bitne (Hervey Allen, U of O Comp. Ctr., (503) 686-4394)
Newsgroups: comp.virus
Subject: RE: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
Message-ID: <0005.8907251208.AA04381@ge.sei.cmu.edu>
Date: 24 Jul 89 23:14:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 45
Approved: krvw@sei.cmu.edu

I have been reading the discussions on VM/CMS as pertaining to viruses and
security with some interest.  I was the Senior Consultant/Programmer at a
small college for a system running VM/CMS when the CHRISTMA EXEC program
was making its rounds.

There were two of us who had complete control over the machine we were work-
ing on (a 4341-2 w/1500 accounts) which made it extremely easy to spot and
eradicate the CHRISTMA EXEC.  We routinely checked the number of Reader (mail)
files on our machine.  We noticed an increase in files over the span of a few
hours that was unusual so we checked our RSCS spool to see if anything unusual
was happening and spotted the CHRISTMA EXEC file showing up repeatedly.  We
then took a look at the CHRISTMA EXEC (which we had both received) and
realized what it was doing.  At this point we wrote a few lines of code to
search for all occurrences of the CHRISTMA EXEC on the system (in Reader or
on disk) and to delete any that were found.  We warned our users not to run
the CHRISTMA EXEC (in case we missed any) and then we periodically checked
for the EXEC over the next few days.  We did not think of putting the check
directly into RSCS, which is a better idea.

The reason I bothered to write this was to make note of the possibility that
those places where people dealt directly with their machines and the operating
systems seemed to catch the CHRISTMA EXEC almost immediately, whereas on the
IBM VNET many of the machines ran systems such as PROFS that separate the
users from the operating system and most of the machines were maintained by
a larger number of people who had less direct control over their environ-
ments.  I'm not advocating either system over the other, but, to us, it was
interesting how trivial a problem the CHRISTMA EXEC was to deal with.  On
IBM's VNET, however, the offending program was not noticed until network
traffic had become so high, and system spool resources were becoming full
enough (I assume) that they were forced to shut the network down.

This begs the question as to whether or not systems that are designed to be
user friendly and administrations that are set up to keep access to data
restricted are more susceptible to viruses/worms/trojan horses.  I don't
expect to answer this question, but it does seem to be a re-occurring theme
when dealing with viruses.

Hervey Allen  <<Bitnet:   HALLEN@OREGON.Bitnet>>
              <<Internet: HALLEN@oregon.uoregon.edu>>

Student Programmer/Virus Consultant
University of Oregon Academic Computer Services

| Disclaimer:  The opinions expressed here are my own and in no way reflect |
|              the opinions of the University of Oregon.                    |