Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site umn-cs.UUCP
Path: utzoo!watmath!clyde!cbosgd!ihnp4!stolaf!mmm!umn-cs!woolsey
From: woolsey@umn-cs.UUCP (Jeff Woolsey)
Newsgroups: net.micro,net.micro.pc
Subject: Re: MS-DOS tool to help detect Trojan Horse programs
Message-ID: <993@umn-cs.UUCP>
Date: Thu, 17-Apr-86 13:09:22 EST
Article-I.D.: umn-cs.993
Posted: Thu Apr 17 13:09:22 1986
Date-Received: Mon, 21-Apr-86 01:44:14 EST
References: <4664@ut-sally.UUCP> <99@gumby.UUCP>
Reply-To: woolsey@umn-cs.UUCP (Jeff Woolsey)
Organization: Computer Science Dept., U of Minn, Mpls, MN
Lines: 14
Keywords: software terrorism
Xref: watmath net.micro:14387 net.micro.pc:7886

Trojan horse programs with (nominally-)encrypted strings are not new.  Our
site got bit by one last April.  Someone had stuck code in /etc/update
to write HAPPY APRIL FOOL'S DAY in /etc/motd every 10 minutes.  We couldn't
find that string in any of the running processes.  If the message did not
also include a line of asterisks I never would have found it.  There was
a line of some other character of the same length in /etc/update.
-- 
-- 
"Clorox bottles!  Millions of MY Clorox bottles!  This is where they hid 'em--
 Zeigler and Kissinger.  I'll get 'em on the way back!"

				Jeff Woolsey
				...ihnp4{!stolaf}!umn-cs!woolsey
				woolsey@umn-cs.csnet