Page 038

Undergound. Go to Table of Contents.

   The W.COM Worm affecting VAX VMS Systems


   October 16, 1989 18:37 PSTNumber A-2


   This is a mean bug to kill and could have done a lot of damage.


   Since it notifies (by mail) someone of each successful penetration and

   leaves a trapdoor (the FIELD account), just killing the bug is not

   adequate. You must go in and make sure all accounts have passwords and

   that the passwords are not the same as the account name.


   R. Kevin Oberman


   Advisory Notice


   A worm is attacking NASA's SPAN network via VAX/VMS systems connected

   to DECnet. It is unclear if the spread of the worm has been checked.

   It may spread to other systems such as DOE's HEPNET within a few days.

   VMS system managers should prepare now.


   The worm targets VMS machines, and can only be propagated via DECnet.

   The worm exploits two features of DECnet/VMS in order to propagate

   itself. The first is the default DECnet account, which is a facility

   for users who don't have a specific login ID for a machine to have

   some degree of anonymous access. It uses the default DECnet account to

   copy itself to a machine, and then uses the `TASK 0' feature of DECnet

   to invoke the remote copy. It has several other features including a

   brute force attack.


   Once the worm has successfully penetrated your system it will infect

   .COM files and create new security vulnerabilities. It then seems to

   broadcast these vulnerabilities to the outside world. It may also

   damage files as well, either unintentionally or otherwise.


   An analysis of the worm appears below and is provided by R. Kevin

   Oberman of Lawrence Livermore National Laboratory. Included with the

   analysis is a DCL program that will block the current version of the

   worm. At least two versions of this worm exist and more may be

   created. This program should give you enough time to close up obvious

   security holes. A more thorough DCL program is being written.


   If your site could be affected please call CIAC for more details...


   Report on the W.COM worm.


   R. Kevin Oberman


   Engineering Department


   Lawrence Livermore National Laboratory


   October 16, 1989


   The following describes the action of the W.COM worm (currently based

   on the examination of the first two incarnations). The replication

   technique causes the code to be modified slightly which indicates the

   source of the attack and learned information.


   All analysis was done with more haste than I care for, but I believe I

   have all of the basic facts correct. First a description of the