Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax!AMES.ARC.NASA.GOV!yee
From: yee@AMES.ARC.NASA.GOV (Peter E. Yee)
Newsgroups: comp.protocols.tcp-ip
Subject: Internet VIRUS alert
Message-ID: <8811030728.AA18199@ames.arc.nasa.gov>
Date: 3 Nov 88 07:28:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 19

We are currently under attack from an Internet VIRUS.  It has hit UC Berkeley,
UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.  The virus comes in
via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines.  It
sends a RCPT TO that requests that its data be piped through a shell.  It copies
in a program, compiles and executes it.  This program copies in VAX and SUN 
binaries that try to replicate the virus via connections to TELNETD, FTPD, 
FINGERD, RSHD, and SMTP.  The programs also appear to have DES tables in them.
They appear in /usr/tmp as files that start with the letter x.  Removing them
is not enough as they will come back in the next wave of attacks.  For now
turning off the above services seems to be the only help.  The virus is able
to take advantage of .rhosts files and hosts.equiv.  We are not certain what the
final result of the binaries is, hence the warning.

I can be contacted at (415) 642-7447.  Phil Lapsley and Kurt Pires at this
number are also conversant with the virus.  

							-Peter Yee
							yee@ames.arc.nasa.gov
							ames!yee