Hello BITNET, GULFNET, EARN ... and whatever network will read this !
First, I am very very sorry for cross-posting this e-mail BUT this has
been discussed on all of the lists mentioned above. So, I wanted all to
read my words about this topic.
 
There was alot of talking about MADONA MODULE lately, its source, what
does it do, WHY WE DO NOT PUNISH ..... ? , HOW TO PUNISH THEM ?, cut
lines, remove some guys from routing tables,...etc.
 
LADIES and GENTLEMEN, I kept quite till now. I was questioning my users,
searching their files and their back-up for the source of this module.
I found it TODAY ! This is a portion of a backed up netlog file of one of
my users.
 
File MADONA   MODULE   A1 recv from ROQUE    at BRLNCC   on 01/29/94 07:29:39
 
Since some guys in Bitnet received this module from this node, they
immediately came to a CONCLUSION that we invented this harmful module !
They themselves forgot who first invented XMAS EXEC. It was spread last
Xmas 1993 BUT I did not hear or read all this noise about it then. All I
read then is a couple of warnings "Please do not run it". Of course, this
XMAS EXEC is an old one and been spreaded several years and under several
names like CHRISTMA EXEC in 1989. But this time, from Gulfnet came MOHD,
VIPER, RAMA, and lately EID. Now, I see everybody talking about this worm !
Yes, lets cut some links. Lets pull some from routing tables.
 
 
I am sorry to talk too much this time, but I was really SHOCKED when reading
some postings on some lists, like :
 
>Date:         Wed, 16 Feb 1994 15:20:12 LCL
>Sender:       VM Utilities Discussion List <[log in to unmask]>
>From:         Hernan Lobos M <[log in to unmask]>
>Organization: Universidad de Chile, Sistemas CEC
>Subject:      other vm virus....
>Comments: cc: [log in to unmask], [log in to unmask]
>
>  PLEASE, warning with 'MADONNA MODULE' this is other troyan horse...
>equal to XTMAS...  Warning with this module.
>
>  mmhhhÙ the origin is of Saudi Arabi. (SAUPM00)
>
>  and this is a single EXEC 'compiled' to module with the old
>REXXCOMP.
>
>Hernan.
 ======================================================================= 22
>Date:         Wed, 16 Feb 1994 07:44:06 PST
>Sender:       LISTSERV give-and-take forum <[log in to unmask]>
>From:         Dave Gomberg <[log in to unmask]>
>Subject:      Re: MADONA MODULE
>
>You know, if the Saudis can't clean up their act, we could just pull them
>from our routing tables.  They would get pretty tired after a few weeks
>of only being able to send and no replies.
>
>Dave Gomberg, role model for those who don't ask much in their fantasy lives.
>GOMBERG@UCSFVM           Internet node UCSFVM.UCSF.EDU     fax-> (415)731-7797
>For info on West Coast Live send email to [log in to unmask]
 ======================================================================= 34
 
My questions now are:
CAN SOMEONE OUT THERE EXPLAIN WHAT IS THE MEANING OF THE ABOVE POSTINGS ?
What do you mean by "clean up their act" ?
What do you mean by "pull them from our routing tables" ?
Is it that simple ? is that only because some students ran some file they
do not know what does it do ? is it only Saudis do that ? What about XMAS
EXEC ? We received alot of it from BITNET, from some nodes there, why you
did not "pull them from your routing tables" ?
 
Besides, the message was written in some Portuguese Language ! If it was
an Arabic invention, why it is not in Arabic ?
Here is a guy translated the message:
 
>Date:         Thu, 17 Feb 1994 10:50:36 -0500
>Reply-To:     RSCS Discussion List <[log in to unmask]>
>From:         "R. Tordil" <[log in to unmask]>
>Subject:      Translation of MADONA MODULE message
>
>For those of you who might be wondering as I was, here is the
>translation of the screen printed by the MADONA MODULE:
>
>SI FUDEU - literally, 'yes f---ed', but interpreted 'yes, you got screwed!'
>
>URPRESA MOCADONA - Surprise ????? (Mocadona not know to the Portuguese speaker
>    I found)
>
>OS FANTASMAS ESTAO DE VOLTA -- CUIDADO!  The ghosts have returned - beware!
 
 ======================================================================= 50
>Date:         Wed, 16 Feb 1994 10:52:53 EST
>Sender:       BITNET Technical News List <[log in to unmask]>
>From:         Larry Snodgrass <[log in to unmask]>
>Subject:      Re: MADONA MODULE
>Comments: To: [log in to unmask], [log in to unmask]
>
>Here we go again.  This one seems a little more destructive.
>I'll try to get them on the phone.
>
>Larry
 
>----------------------------Original message----------------------------
>On Wed, 16 Feb 1994 08:29:14 EST Nick Laflamme said:
>>Sigh, I just found a MADONA MODULE in my RDR from a Saudi node.  I'm not
>>trying to imply that the Saudis only write trojan horses and worms, but I
>>don't feel like running this until I see source code for it. :-)
>>
>>It came from some list, but I haven't tracked down which one yet.
>>
>>Nick
>***
>* "40+ million users might all be politically incorrect,
>* but they're the users I support."
 
Larry ? Nick ?  I am not going to say more for now.
 
I am sorry again that I talked too much this time but I felt I have to
make some points clear and to remind some poeple of what they have said.
I was really shocked of what have been said out there.
 
PS..I will fly in 4 hours and be away for a couple of days (our weekend).
    I will be back on Saturday.
 
 ----------------------------------------------------------------------
 Best regards from   Iyad Abdulmajeed Al-Bukhari  [log in to unmask]
     KFUPM NAD, GULFNET NCC and Chairman of GULFNET Technical Committee
 KFUPM Box 773, Dhahran 31261, Saudi Arabia.
 Phone: (966-3) 860-3917 Off.  -------------      Fax: (966-3) 860-3955