Path: utzoo!utgpu!attcan!uunet!husc6!bbn!rochester!bukys
From: bukys@cs.rochester.edu (Liudvikas Bukys)
Newsgroups: comp.bugs.4bsd
Subject: THE VIRUS and the finger daemon (READ THIS!!!!)
Keywords: virus, unix, finger
Message-ID: <1988Nov3.192124.3943@cs.rochester.edu>
Date: 4 Nov 88 00:21:24 GMT
Reply-To: bukys@cs.rochester.edu (Liudvikas Bukys)
Organization: U of Rochester, CS Dept, Rochester, NY
Lines: 16

ANOTHER ASPECT OF TODAY'S VIRUS:

It attacks the finger daemon, which uses gets() to input a string.
The virus sends an overlong string, which overflows the 512-byte
buffer, and steps on the stack in just the right way to invoke a
shell.  I think it only does this (successfully) to Vaxen.

If you have source, recode the gets() to an fgets().  If you don't
have source, turn off the finger daemon in /etc/inetd.conf or /etc/servers!

Liudvikas Bukys
<bukys@cs.rochester.edu>

P.S. The virus also seems to poke around with telnet, but I don't know
of any holes in the telnet daemon.  Maybe it only does that after it has
figured out a password for an account.