| Alias: | --- |
| Strain: | --- |
| detected when: | February 1994 |
| where: | CMSUG-L mailing-list |
| Classification: | Chain Letter (aka Rabbit) |
| Length: | 1. As NETDATA file (in the virtual reader): 74 Records 2. On disk: RECFM is V, LRECL is 79, size is 124 records. |
Preconditions | |
| Operating System(s): | CMS (under VM/SP, VM/XA, or VM/ESA) + RXFS package (by Tom W |
| Version/Release: | presumably Rel. 3, and up; tested with VM/SP Release 5, Serv |
| Computer model(s): | IBM Mainframes, and Compatibles |
| Caroname: | Ramadan |
Attributes | |
| Easy identification: | 1. Program comes in a file named RAMA EXEC. 2. Source lines 1 through 6 contain, in a box, the following comment: NAME: MSS. DATE: 6 FEB 1994 AUTHOR: Ehssan Abuzaid FUNCTION: Display GOOD Morning message to my .... 3. Source lines 13 through 36 assign a crude image of a mosque to REXX variables l.1, l.2, etc.; line 21, in particular, reads: l.9= ' ||| H A P P Y rrrrrrrrrrrr R A M A D A N |
Type of Infection: | |
| Infection Technique: | |
| Infection Trigger: | |
| Storage Media affected: | Bitnet/EARN/Netnorth) |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Any file named RAMA EXEC A will be erased. Transient Damage: A crude image of a mosque will be displayed (each line in a different colour); after the Enter key is hit, the following message (the typos are authentic) enters the screen, line by line, from the left: Dear Users ; I would like to take this apportinuty to wish all of you the best of R A M A D A N and GOD be with you, and I wish you good luck in your study, or in your work. BY the way, we are here to help you in your computer work So do not hasitate and feel free to call us. etc. Side effects: Network jams are possible due to processing multiple copies of RAMA EXEC. |
| Damage Trigger: | Permanent Damage: Running the EXEC (as above). Transient Damage: Running the EXEC (as above). |
| Particularities: | RAMA EXEC is coded rather awkwardly, and sloppyly, in particular: 1. When the RXFS package is not accessable via any of the standard function packages (RXUSERFN, RXLOCFN, or RXSYSFN), message DMSREX478E will be issued, and RAMA EXEC will be aborted with RC=20043. 2. When the program is renamed, it will still try to propagate a file named RAMA EXEC, and sub- sequently erase it. 3. The CMS Sendfile command RAMA exploits accepts only RSCS addresses (such as RZOTTO@DKNKURZ1); hence, a user located in Bitnet will propagate the file to Bitnet addresses, but not to Inter- net adresses -- not even to an Internet style Bitnet address (such as RZOTTO@DKNKURZ1.Bitnet). 4. RAMA EXEC contains code to supply the local node name to abbreviated RSCS addresses (such as RZOTTO); however, due to a bug, it will append the words VIA RSCS, and the current date, to the node name it inserts. Due to the resulting syntax error, no file will be sent to the abbreviated address. 5. During the propagation phase, CMSTYPE HT is in effect; hence the error messages caused by items 3 through 5, above, are invisible. 6. RAMA will consume any lines present in the Program Stack. |
| Similarities: | Initial comments strongly resemble Ronald Page's BOOGIE EXEC (part of RXFS PACKAGE, as distributed by LISTSERV@DEARN.Bitnet). Propagation method resembles ZT EXEC; however, ZT uses the CMS Punch, rather than the Sendflie, command. |
Agents | |
| Countermeasures: | Sysadmis should include RAMA EXEC in their RSCS filters. |
| Standard means: | Users should purge, or erase, RAMA EXEC rather than running it. |
Acknowledgements | |
| Location: | Rechenzentrum der Universit |
| Classification by: | Otto Stolz |
| Documentation by: | Otto Stolz |
| Date: | 1994-02-15 |
| Information Source: | Analysis, and test runs, of RAMA EXEC. VIRUS-L logs pertaini |
(c) 1996 Virus-Test-Center, University of Hamburg