Path: utzoo!attcan!uunet!husc6!cmcl2!rutgers!ucsd!ucbvax!hardees.rutgers.edu!ron
From: ron@hardees.rutgers.edu
Newsgroups: comp.protocols.tcp-ip
Subject: DECNET Virus (sorry)
Message-ID: <8812232057.AA02489@ron.rutgers.edu>
Date: 23 Dec 88 20:57:30 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 20


I got an anonymous tip about a DECNet virus.  Milo Medin provided me with
the details.  The virus exploits a well known feature in DECnet which involves
sites that leave TASK 0 running (this is the way DEC ships it).  The virus
sends a HI.COM file to your default decnet directory and then sends a command
to task 0 to invoke it.  To close the hole, you need to tell NCP
to "CLEAR OBJECT TASK ALL" in your start up files as DECNET always starts
this process.  If you were infected you will find HI.COM in your default
decnet directory and a process running called something like MAIL_178DZ.

You should delete the com file and kill off the process if you find them.

I don't vouch for the accuracy of the above, I am neither a DECNET nor a
VMS lover.

-Ron

I apologize for all those who are sane enough to run TCP-IP rather than DECNET
for having to see this, but it seemed like the most rapid distribution system
I could find.