Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!ucsd!brian From: brian@ucsd.EDU (Brian Kantor) Newsgroups: comp.protocols.tcp-ip Subject: Re: DECNET Virus (sorry) Summary: Ho-hum, another mail worm Message-ID: <1339@ucsd.EDU> Date: 26 Dec 88 06:39:55 GMT References: <8812232057.AA02489@ron.rutgers.edu> Reply-To: brian@ucsd.edu (Brian Kantor) Organization: The Avant-Garde of the Now, Ltd. Lines: 57 I received the following message last Friday; I mailed it off to the "phage" security list and it bounced because Purdue's mailer is broken, so I'll post it here. I hesitated to do this at first, since it's not directly relevant and I sure didn't want to panic people into wildly shutting down bridges and gateways again. SPAN (Space Physics Analysis Network??) is a DECNet network, so it lacks direct relevance to the TCP/IP list, but probably this is of at least passing interest. --- Date: Fri, 23 Dec 88 02:53:13 GMT From: gkn@Sds.Sdsc.Edu (Gerard K. Newman) Subject: SPAN WORM ALERT Ladies and gentleman, Someone has loosed a worm on SPAN at this very moment. Check your accounting files and NETSERVER.LOGs in your default DECnet accounts. You'll find evidence of someone creating a file (HI.COM, which I am in the process of fetching from the deleted blocks of one of them) which propagates itself around the network. It has hit all of the VMS machines here at SDSC today, and simply appears to crawl around and send mail to 25097::PHISOLIDE (node 25.79, for which I do not have a name in my DECnet database). It will take me a few more minutes to cobble together a program to dredge up the blocks of the command file (one of the first things it does is to delete itself ... it also sets it's process name to MAIL_178DC, so look around for those, too). When I have it I will forward the text. An adequate defense against the problem is: (from the SYSTEM or other suitably privileged account): $ Set Default your-default-decnet-area $ Create HI.COM $ Stop/ID=0 ^Z $ Set File/Owner=[1,4]/Protection=(S:RWED,O:RWED,G:RE,W:RE)/Version=1 HI.COM This information should receive the widest possible distribution. I will forward a copy of the command file in a few minutes. Please give me a call (# below) if you need more information. gkn ---------------------------------------- Internet: GKN@SDS.SDSC.EDU Bitnet: GKN@SDSC Span: SDSC::GKN (27.1) MFEnet: GKN@SDS USPS: Gerard K. Newman San Diego Supercomputer Center P.O. Box 85608 San Diego, CA 92138-5608 Phone: 619.534.5076