The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #029 [Re: initial portion of virus and how to catch the rest] (1 message, 736 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/029.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: "Louis A. Mamakos" <louie@trantor.umd.edu>
To: phage
Date: Fri 12:23:44 04/11/1988 EST
Subject: Re: initial portion of virus and how to catch the rest
References: [Thread Prev: 027] [Thread Next: 033] [Message Prev: 392] [Message Next: 031]

I have a copy of the various virus files, include the qf* and df* files
from /usr/spool/mqueue during an attack.  I also have a core file of
a running '(sh)' process.  It is a very interesting thing to adb and
see what sort of stuff it is poking around at. 

I have also noticed that while it is running, you will see a

	'netstat -r -n'

processing running; apparently it is trying to infect all of the gateways
that you have routes to.  I suspect that it also tries sequential addresses
in your network number space; we've seen packets addressed to non-existent
addresses on our gateway backbone Pronet-80 ring.

The files are available for anonymous FTP from trantor.umd.edu as

	pub/virus.files.tar

Also, I noticed that the "Virus posting #3" from Keith Bostic got munched;
the source for fingerd has a large hole in the middle.

louie

END OF DOCUMENT