VALDIS@VTVM1.CC.VT.EDU (Valdis Kletnieks) (11/06/90)
>From: Paul D. Shan <PDS2@PSUVM.PSU.EDU> >a very benign state so I can look at it. I got it from someone in >Canada who inturn got it from someone in Turkey. Fortunately I had >someone originally from Cyprus look at the program and try to decipher >some of the language in it. It indeed is Turkish, and it says "This >EXEC shows the terminals in the terminal room and the library." The >program seems to be copyrighted, since there is a message "(c) nihat >dinc id=oyo8904" in it. oyo8904 is an ID which is consistent with the >UserID "structure" of TREARN. My guess is that someone took a valid >program, hacked it to pieces, assembled/compiled it and sent it out. >Since the original language is Turkish, I also assume that the >original worm came from there. Paul: If you dig a bit more, you'll notice that the original Turkish exec and the 'worm' features are a LOT different stylistically. There is *no* evidence contained in the worm itself that it WORM originated in Turkey. Given the vast difference in coding styles, I would agree that somebody took a valid program and hacked it to pieces. However, saying it originated in Canada (or Japan, or Kuwait, or...) is equally as valid as saying it came from Turkey. So far, the infection chain as I have been able to trace it is: UREGINA1 -> PSUVM -> UICVM -> UTCVM and several other sites \--> ETSUACAD If somebody has HARD evidence of how UREGINA1 got it, I'd be more than happy to forward it to the appropriate people. Valdis Kletnieks Computer Systems Engineer Virginia Polytechnic Institute