Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!wuarchive!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: DOUG@YSUB.BITNET (Doug Sewell)
Newsgroups: comp.virus
Subject: DIR EXEC on VM (VM/CMS)
Message-ID: <0015.8911271233.AA05551@ge.sei.cmu.edu>
Date: 26 Nov 89 15:56:21 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 48
Approved: krvw@sei.cmu.edu

This was just posted on LSTSRV-L and several other groups - Doug
- ---
>Date:         Sat, 25 Nov 89 19:15:31 EDT
>Sender:       Revised LISTSERV forum <LSTSRV-L@RUTVM1>
>From:         "Juan M. Courcoul" <POSTMAST@TECMTYVM.BITNET>
>Subject:      IMPORTANT WARNING: CHRISTMA workalike on the loose on the links
>
>This is an emergency warning. As such it has been sent to several important
>lists; please excuse the multiple cross-posting.
>
>A dangerous REXX exec named DIR EXEC has been detected on our node, thanks
>to a watchful recipient. This exec purports to be able produce a directory
>listing of the user's disks in a MS/DOS (PC) format.
>
>However, when the exec is run, it will produce the promised listing BUT it
>will also send a copy of itself to all net addresses found in the user's
>NAMES and NETLOG files.
>
>This will, of course, swamp the BITNET network in a very short time if it
>is allowed to run unchecked. Its behavior is, damagewise, identical to the
>CHRISTMA EXEC which attacked both BITNET and VNET (IBM's corporate net)
>approximately three years ago.
>
>All system operators, postmasters and people in charge: if you find the DIR
>EXEC in your system's RDR queue, flush immediately. The copy we detected has
>the following characteristics:
>
>FILENAME FILETYPE FM FORMAT LRECL       RECS     BLOCKS
>DIR      EXEC     B1 V        116        167          1
>
>The datestamp is not a reliable indicator; in two different copies found in
>our RDR queue, the date was different.
>
>Also, please post warnings on your systems, alerting your users about this
>problem.
>
>Thanks for your immediate attention to this urgent problem.
>
>Juan
>
>/-----------------------------------------------------------------------\
>  Juan M. Courcoul                  | Phone: (835) 820-0000  Ext. 4151
>  Postmaster / Listserv Coordinator |
>  Dept. of Academic Services        | Net: POSTMAST@TECMTYVM.BITNET
>  Monterrey Campus                  |      POSTMAST@TECMTYVM.mty.itesm.mx
>  Monterrey Institute of Technology |      POSTMAST@TECMTYSB.BITNET
>  Monterrey, N. L., Mexico  64849   |      POSTMAST@TECMTYSB.mty.itesm.mx
>\-----------------------------------------------------------------------/


Brought to you by Super Global Mega Corp .com