Path: utzoo!utgpu!attcan!uunet!husc6!purdue!spaf
From: spaf@cs.purdue.edu (Gene Spafford)
Newsgroups: news.sysadmin
Subject: A worm preventer!
Message-ID: <5314@medusa.cs.purdue.edu>
Date: 4 Nov 88 06:26:20 GMT
Sender: news@cs.purdue.EDU
Reply-To: spaf@cs.purdue.edu (Gene Spafford)
Organization: Department of Computer Science, Purdue University
Lines: 48
Supersedes: <5313@medusa.cs.purdue.edu>

FLASH!!

Kevin ("Adb's your friend.") Braunsdorf  of Purdue CC just burst into
my office with a cure discovered in the disassembled worm binary.

If there is an external variable in the library named "pleasequit" that
is non-zero, the worm will die immediately after starting.  Thus, to
kill any new worms, include a patch in your library that defines the
symbol.  The following shell file and source code will modify your C
library to define this symbol.

It WON'T kill any currently linked and running versions, but it should
prevent reinfection.  If you install this and a reinfection occurs,
please notify us all immediately!


# Shar archive.  Give the following as input to /bin/sh
#  Packed Thu Nov  3 21:56:35 EST 1988 by spaf@uther.cs.purdue.edu
#
#  This archive contains:
#	foo.sh
#	foo.c
#
#
echo x - foo.sh
sed 's/^X//' >foo.sh <<'*-*-END-of-foo.sh-*-*'
Xcc -c foo.c -o foo.o
Xcp /lib/libc.a /lib/libc.a.old
Xar q /lib/libc.a foo.o
Xranlib /lib/libc.a
*-*-END-of-foo.sh-*-*
echo x - foo.c
sed 's/^X//' >foo.c <<'*-*-END-of-foo.c-*-*'
Xint pleasequit = -1;
*-*-END-of-foo.c-*-*
exit
-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf


-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf