TUCoPS :: Antique Systems :: ciacc005.txt

VMS Sysman Trojan Preliminary

         _____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

	Preliminary Information about SYSMAN.EXE Trojan Horse

November 8, 1991, 16:00 PDT 				Number C-5

	     Critical Facts about SYSMAN.EXE Trojan Horse
_________________________________________________________________________
PROBLEM: A trojan horse program installed in several systems 
PLATFORM: VMS systems connected to DECnet.  
DAMAGE: Allows potential unauthorized privileged access; unauthorized
	changes to critical system files.
SOLUTIONS: Scan SYS$LIBRARY for executable called OBJ.EXE or check for
	modification of length of SYSMAN.EXE file; if OBJ.EXE or bogus
	SYSMAN.EXE program is found, replace with copy from original
	distribution tape, then delete OBJ.EXE
_________________________________________________________________________

CIAC has been informed of a trojan horse program found in several VMS
systems connected to the DECnet.  All affected systems identified to
date are systems connected to the European DECnet; no systems in the
DOE community or U.S.A. are known to be infected by this bogus program
at this time .  At this moment we have disassembled approximately 98
percent of the binary code, and are distributing this bulletin to
provide an interim progress report.  Although early information
provided to CIAC initially suggested that this program was a worm, we
have been unable to locate any self-proliferation routines in this
program.  It is likely that the author of this trojan horse planted
this program either by breaching a privileged account or by breaching
an unprivileged account and escalating privilege.  The intruder
renames the SYS$SYSTEM:SYSMAN.EXE image to SYS$LIBRARY:OBJ.EXE.  When
the trojan horse program is installed, the intruder replaces the
SYSMAN.EXE image with the trojan horse program.  The SYSMAN.EXE trojan
horse enables an intruder to grant privilege to an unprivileged
account, thereby allowing that intruder back door access to system
privilege.

To detect the trojan horse program, run the SYSMAN program.  After
exiting, type the command

	SHOW SYMBOL *

If the result contains a definition for the symbol OBFJ defined as
"$SYS$LIBRARY:OBJ.EXE" or if you find the file SYS$LIBRARY: OBJ.EXE
on your system, it is extremely likely that your system contains this
trojan horse.

CIAC recommends that if your system contracts the SYSMAN.EXE trojan
horse, you should save the corrupted SYSMAN image.  We request that
you send a copy of this image to CIAC, and recommend that you replace
it using the original distribution media.

For additional information or assistance, please contact CIAC:

Hal Brand				Karyn Pichnarczyk 
(510)422-0039** or	    or		(510) 422-1779** or
(FTS) 532-0039				(FTS) 532-1779
brand@addvax.llnl.gov			karyn@cheetah.llnl.gov

Send e-mail to ciac@llnl.gov or call CIAC at 
(510) 422-8193**/(FTS)532-8193.  

**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

CIAC would like to thank the Computer Emergency Response
Team/Coordination Center and DEC for assistance in handling this
incident.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer,
or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH