Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!julius.cs.uiuc.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: PDS2@PSUVM.PSU.EDU (Paul D. Shan)
Newsgroups: comp.virus
Subject: Re: Bitnet Worm spotted... (IBM VM/CMS)
Message-ID: <0003.9011051415.AA12439@ubu.cert.sei.cmu.edu>
Date: 1 Nov 90 16:58:51 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 23
Approved: krvw@sei.cmu.edu

I was unfortunate enough to execute this worm.  I still have a copy in
a very benign state so I can look at it.  I got it from someone in
Canada who inturn got it from someone in Turkey.  Fortunately I had
someone originally from Cyprus look at the program and try to decipher
some of the language in it.  It indeed is Turkish, and it says "This
EXEC shows the terminals in the terminal room and the library."  The
program seems to be copyrighted, since there is a message "(c) nihat
dinc id=oyo8904" in it.  oyo8904 is an ID which is consistent with the
UserID "structure" of TREARN.  My guess is that someone took a valid
program, hacked it to pieces, assembled/compiled it and sent it out.
Since the original language is Turkish, I also assume that the
original worm came from there.

Well, this is what my little piece of digging came up with.  Anyone
else have some evidence?

Paul D. Shan
Microcomputer and Personal Workstation Support
Center for Academic Computing
12 Willard Building
University Park, PA  16802
(814) 863-4356
PDS2@PSUVM.psu.edu