Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!asuvax!ncar!tank!cps3xx!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: P.E.Smee@gdr.bath.ac.uk, Newsgroups: comp.virus Subject: DIR EXEC question (VM/CMS) Message-ID: <0015.8912011616.AA11845@ge.sei.cmu.edu> Date: 29 Nov 89 11:59:30 GMT Sender: Virus Discussion List Lines: 26 Approved: krvw@sei.cmu.edu My boss has just heard about this and got himself into a flap. (We run, among other things, a VM/CMS 'service' (if that word can be applied to VM/CMS) on a 3090/150S.) We have not seen a copy of it, and we don't know how BITNET/EARN IBM's are interconnected. However it sounds from the description like it must transfer itself using SENDFILE (or TRANSFER) over something like RSCS. Is this indeed the case? (If so, it is unlikely to travel freely between UK academic IBM sites as we tend to run UK Bluebook for file transfers, which requires that you know the password as well as the username on a remote site in order to send them a file. If it travels as mail, then password is not necessary of course, but on the other hand the mechanics of MAIL are such that a user is more likely to have looked at it before running it, since it is a bit tricky to 'RECEIVE' mail into a separate executable file.) Of course if we DID end up with a copy on our machine, it could redistribute itself freely within the machine. I'm simply trying to make a value judgement as to the likelihood of our getting a copy from outside; and to decide exactly how to phrase our warning to users. It also affects our protective reaction. If it transfers via SENDFILE/TRANSFER we're not going to get it. If it transfers via MAIL or some other protocol, we might get it, but it will not show up in our SPOOL as DIR EXEC... Paul Smee, Univ. of Bristol Comp. Centre, Bristol BS8 1TW (Tel +44 272 303132) Smee@bristol.ac.uk :-) (..!uunet!ukc!gdr.bath.ac.uk!exspes if you HAVE to) Brought to you by Super Global Mega Corp .com