------------------------------ From: Wes Morgan Subject: Re: IBM mainframe trojan repost Date: Mon, 8 Oct 90 10:44:54 EDT ******************************************************************** *** CuD #2.07: File 2 of 8: From the Mailbag *** ******************************************************************** Re: "And a Merry Christmas to All?" > >An almost identical version of the IBM Christmas virus that infected >thousands of computers on IBM's internal mail in December 1987 has >reportedly been posted on the Bitnet network. In reality, the CHRISTMA EXEC was reposted to *Usenet*, not Bitnet. While some Bitnet sites are part of the Usenet, they are by no means one network. In addition, the original CHRISTMA EXEC incident involved the entire Bitnet, not just IBM's internal mail system. By the way, it would have been far more accurate to refer to CHRISTMA EXEC as a trojan, rather than a virus........ >The virus puts a tree and >seasonal greeting message on the screen of infected computers and is known >to replicate wildly, shutting down computers. Its method of replication is to send copies of itself to every entry in the user's NAMES files; Unix users can think of NAMES as an alias file. It does NOT infect entire systems; it only acts on the virtual machine of the user who executes it. >No word of any infections, >however. Bitnet connects computers at more than 200 universities as well >as to the Earn network in Europe, the entry point of the original virus. I don't think we'll see much more of this one. It was posted to a low-volume newsgroup on Usenet. A reader of that newsgroup would also require access to a BITNET site in order to implement the trojan. Note that the file MUST be sent via SENDFILE; the headers placed on electronic mail render it useless unless someone strips off the headers and executes it. >IBM was forced to shut down its 350,000-terminal network for nearly three >days to get rid of the virus. True enough; I strongly suspect that most RSCS handlers now look for and eliminate any files named CHRISTMA EXEC........8) A word of warning: IBM users should be extremely cautious of *ANY* EXEC that simply appears in their reader. I have heard reports of several variations on this theme; anyone with a good knowledge of CP and CMS can imagine some nasty possibilities. +++++++ The opinions expressed above are not those of UKECC unless so noted. Wes Morgan \ {rutgers,rayssd,uunet}!ukma!ukecc!morgan University of Kentucky \ or morgan@engr.uky.edu Engineering Computing Center \ or morgan%engr.uky.edu@UKCC.BITNET ******************************************************************** >> END OF THIS FILE << *************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+