Path: utzoo!utgpu!watserv1!watmath!att!att!emory!wuarchive!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: VALDIS@VTVM1.CC.VT.EDU (Valdis Kletnieks)
Newsgroups: comp.virus
Subject: Bitnet Worm spotted... (IBM VM/CMS)
Message-ID: <0009.9010301519.AA05689@ubu.cert.sei.cmu.edu>
Date: 29 Oct 90 17:25:36 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 32
Approved: krvw@sei.cmu.edu

For the joy and edification of those who track such things, I'd like to
report that a verified worm has been spotted on Bitnet.

Known Salient Points:

The filename/filetype is "TERM MODULE".  In the spool area, it is 42 records
long.  On a minidisk, it is 3 records, recfm V, lrecl 2904.  The datestamp
on the copy I received for analysis is 10/08/90 05:57

The program started as a Rexx exec to "pretty-print" the CP QUERY NAMES
command with nicknames, etc.

Some (as yet unidentified) clown then added code to do the following:
(a) it sends a copy of itself to everybody in your NAMES file
(b) It sends a copy of 'ALL NOTEBOOK' to yourself (kind of pointless..)

It was then fed into a program to convert it to MODULE format.
The MODULE is apparently just a "front end" to the Rexx interpreter -
there is no readily visible "dangerous" code. I will be completing a
disassembly of the module header shortly, but do not expect any suprises.
If I find any, I will post a followup...

Due to stylistic differences, I am convinced that the programmers for
parts (1) and (2/3) are different people.

The date on the MODULE is 10/08/90, and there haven't been many sightings
that I know of.  Apparently, it hasn't reached "critical mass" on the
network yet.

                                  Valdis Kletnieks
                                  Computer Systems Engineer
                                  Virginia Polytechnic Institute