bukys@cs.rochester.edu (Liudvikas Bukys) (11/04/88)
ANOTHER ASPECT OF TODAY'S VIRUS: It attacks the finger daemon, which uses gets() to input a string. The virus sends an overlong string, which overflows the 512-byte buffer, and steps on the stack in just the right way to invoke a shell. I think it only does this (successfully) to Vaxen. If you have source, recode the gets() to an fgets(). If you don't have source, turn off the finger daemon in /etc/inetd.conf or /etc/servers! Liudvikas Bukys <bukys@cs.rochester.edu> P.S. The virus also seems to poke around with telnet, but I don't know of any holes in the telnet daemon. Maybe it only does that after it has figured out a password for an account.