Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!AERO4.LARC.NASA.GOV!blbates
From: blbates@AERO4.LARC.NASA.GOV (Bates TAD/HRNAB ms294 x2601)
Newsgroups: comp.sys.sgi
Subject: Re: virus, fix for 3000 part 05 of 05 (last)
Message-ID: <8811212155.AA00205@aero4.larc.nasa.gov>
Date: 21 Nov 88 18:55:20 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 19


     I didn't try using adb.  We had two people try it, one was one of our
'experts' and he said adb didn't work correctly.  I don't know any specifics
as to why it didn't work, but he used emacs to make the change and I copied
it to my machine.
     As far as the worm was concerned, I haven't heard anythink specific,
mainly rumors.  They said that it trasfered its source over to the new
machine and compiled itself.  There were two ways for it to get around,
one was through sendmail and the other was through ftp.  The sendmail part
could get into any BSD sendmail machine that had debug set.  The ftp
portion was Sun and VAX specific, and it was the fastest part of the worm.
So we had a two headed worm; one was slow, but could get almost anywhere;
and a second that was fast, but only work on two types of machines.
    One last thing, we were told NOT to put a null into the sendmail
binary, but someother value.


P.S. I am sending a copy of this to info-iris, since it has been
     returned to me twice.