DOUG@YSUB.BITNET (Doug Sewell) (11/26/89)
This was just posted on LSTSRV-L and several other groups - Doug - --- >Date: Sat, 25 Nov 89 19:15:31 EDT >Sender: Revised LISTSERV forum <LSTSRV-L@RUTVM1> >From: "Juan M. Courcoul" <POSTMAST@TECMTYVM.BITNET> >Subject: IMPORTANT WARNING: CHRISTMA workalike on the loose on the links > >This is an emergency warning. As such it has been sent to several important >lists; please excuse the multiple cross-posting. > >A dangerous REXX exec named DIR EXEC has been detected on our node, thanks >to a watchful recipient. This exec purports to be able produce a directory >listing of the user's disks in a MS/DOS (PC) format. > >However, when the exec is run, it will produce the promised listing BUT it >will also send a copy of itself to all net addresses found in the user's >NAMES and NETLOG files. > >This will, of course, swamp the BITNET network in a very short time if it >is allowed to run unchecked. Its behavior is, damagewise, identical to the >CHRISTMA EXEC which attacked both BITNET and VNET (IBM's corporate net) >approximately three years ago. > >All system operators, postmasters and people in charge: if you find the DIR >EXEC in your system's RDR queue, flush immediately. The copy we detected has >the following characteristics: > >FILENAME FILETYPE FM FORMAT LRECL RECS BLOCKS >DIR EXEC B1 V 116 167 1 > >The datestamp is not a reliable indicator; in two different copies found in >our RDR queue, the date was different. > >Also, please post warnings on your systems, alerting your users about this >problem. > >Thanks for your immediate attention to this urgent problem. > >Juan > >/-----------------------------------------------------------------------\ > Juan M. Courcoul | Phone: (835) 820-0000 Ext. 4151 > Postmaster / Listserv Coordinator | > Dept. of Academic Services | Net: POSTMAST@TECMTYVM.BITNET > Monterrey Campus | POSTMAST@TECMTYVM.mty.itesm.mx > Monterrey Institute of Technology | POSTMAST@TECMTYSB.BITNET > Monterrey, N. L., Mexico 64849 | POSTMAST@TECMTYSB.mty.itesm.mx >\-----------------------------------------------------------------------/
OR776@DBNUOR1.BITNET (Carsten Zimmer) (11/27/89)
last night I received an EXEC named 'DIR EXEC' which proposed only do
list CMS-files in a MSDOS convenient format. It does it, ok, but in
addition it also sends itself to all entries in your NAMES and NETLOG file.
It's the sam story as with CHRISTMAS EXEC which last year clittered up the
networks.
regards, Carsten