Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: MANAGER@JHUIGF.BITNET (System Manager) Newsgroups: comp.virus Subject: Possible virus? (VAX/VMS) Message-ID: <0003.8909201747.AA13433@ge.sei.cmu.edu> Date: 20 Sep 89 12:59:00 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu I recieved this from Info-VAX today. I think it may be of interest. Damian Hammontree System Programmer, Johns Hopkins School of Medicine MANAGER@JHUIGF.BITNET Message follows: Comments: From IVERS@CMR.MFENET on 19-SEP-1989 23:36:02.73 EDT Comments: To: info-vax@kl.sri.com On Monday morning, our users (including the system manager) were surprised to find that they could no longer log in to our VAX 11/750 (VMS V4.5). Coincidentally, one user reported the appearance of several files in his directory with names like WARNING., VIRUS., and ATTACK.. He thought it was a joke and said nothing at the time the files appeared. The system was booted with UAFALTERNATE =1. It appeared that SYSUAF.DAT was intact, but the passwords were no longer valid. A SYSUAF.DAT file was restored from a backup set and new passwords were issued. The problem is that now when more than 2 users attempt to use the system, a message of the type LICENSED NUMBER OF SYSTEM USERS EXCEEDED appears. As for the "virus" files - all that remains are subdirectories of names similar to the files reportedly seen by the user (one of them is called [.DEADLY-VIRUS]). Any ideas as to the cause or cure of the LICENCED NUMBER OF... problem, or insight into the nature of the "virus" would be appreciated. Thanks in advance, Tom Ivers (system manager) Columbia U. Plasma Physics Lab Internet: IVERS@CUPLVX.APNE.COLUMBIA.EDU MFEnet: IVERS@CMR