Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax!WHEATIES.AI.MIT.EDU!glr
From: glr@WHEATIES.AI.MIT.EDU (Jerry Roylance)
Newsgroups: comp.protocols.tcp-ip
Subject: Virus
Message-ID: <19881104194515.0.GLR@MOSCOW-CENTRE.AI.MIT.EDU>
Date: 4 Nov 88 19:45:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 20


A method of finding the culprit:

NYT implies the user is a CS student.  The files that compose his system
were stored on disk in his directory; the program is complicated, so the
development probably took a long time; the files were probably stored on
a public machine.

So the first step might be to (quietly) grep unix filesystems for some
appropriate (cleartext) substrings that would appear in his files (ie,
pieces of the infecting shell script).  Anyone who owned such files
before the infection would be suspect.

The internet reaction has probably scared the author, so he has
presumably deleted the relevant online files, but probably does not have
access to his system's backup tapes.  Scanning those tapes (levels 0-9)
for say Monday or Tuesday would probably turn something up.

Coordinating the search effort would be difficult and possibly not worth
it.