Path: titcca!icot32!nttlab!Nickel!okuno
From: okuno@Nickel.NTT.JP
Newsgroups: fj.junet,fj.general,ntt.general
Subject: Warning!!!! Internet is down due to Virus (In Japanese)
Message-ID: <28036677521@Nickel.NTT.JP>
Date: 4 Nov 88 02:35:52 GMT
Sender: news@nttlab.ntt.JP
Reply-To: okuno@nuesun.ntt.jp
Distribution: fj
Organization: NTT Software Laboratories
Lines: 55
Xref: titcca fj.junet:1084 fj.general:655
Posting-Front-End: TAO/ELIS Znews, Version -0.54, 30-Oct-88; Nickel.NTT.JP

JUNETランドの皆さまへ、

sendmail SMTPのバグにより、virusが発生しInternetがダウンしています。
バグフィックスはcomp.bugs.4bsd.ucb-fixesのV1.67 (Virus posting)
として流れていますので、入手され次第、sendmailを修正される
ようにお奨め居たします。なお、この記事はまだNTTには到着
していません。至急必要な方は、私までご連絡下さい。FAXコピー
を差し上げます。

なお、JUNETでは、ごく一部を除いてSMTPでのリンクはありません
ので、このVirusに感染しているおそれはないと思います。

- Gitchang -

==================== 転送するメッセージ ====================
From: NAOHISA TAKAHASHI <NAOHISA@NTT-20.ntt>
Subject: Disabled CSNET Connection
Message-Id: <12443735301.24.NAOHISA@NTT-20.NTT.JP>

ネットマネージャの皆様
　CSNET事務局よりネットワークビールスについて電話がはいりました
のでお知らせします．
　Ｉｎｔｅｒｎｅｔを通してネットワークビールースがＭＩＴ，ＢＢＮ
に入り込みましたので，ＣＳＮＥＴでもすべてのコネクションを切り離し
ます．全米のＩｎｔｅｒｎｅｔは使えない状態です．
　詳細は，別途連絡します．

　　　　　　　　　ソフト研
　　　　　　　　　高橋　直久

Return-Path: <tcp-ip-RELAY%sri-nic.arpa@ntt-cs-relay.ntt>
Date: Wed, 2 Nov 88 23:28:00 PST
From: "Peter E. Yee" <yee%ames.arc.nasa.gov@ntt-cs-relay.ntt>
To: mkl%sri-nic.arpa@ntt-cs-relay
Subject: Internet VIRUS alert

We are currently under attack from an Internet VIRUS.  It has hit UC Berkeley,
UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.  The virus comes in
via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines.  It
sends a RCPT TO that requests that its data be piped through a shell.  It copies
in a program, compiles and executes it.  This program copies in VAX and SUN 
binaries that try to replicate the virus via connections to TELNETD, FTPD, 
FINGERD, RSHD, and SMTP.  The programs also appear to have DES tables in them.
They appear in /usr/tmp as files that start with the letter x.  Removing them
is not enough as they will come back in the next wave of attacks.  For now
turning off the above services seems to be the only help.  The virus is able
to take advantage of .rhosts files and hosts.equiv.  We are not certain what the
final result of the binaries is, hence the warning.

I can be contacted at (415) 642-7447.  Phil Lapsley and Kurt Pires at this
number are also conversant with the virus.  

                                                        -Peter Yee
                                                        yee@ames.arc.nasa.gov
                                                        ames!yee