Page 039


Undergound. Go to Table of Contents.

   program:

  

   1. The program assures that it is working in a directory to which the

   owner (itself) has full access (Read, Write, Execute, and Delete).

  

   2. The program checks to see if another copy is still running. It

   looks for a process with the first 5 characters of `NETW_'. If such is

   found, it deletes itself (the file) and stops its process.

  

   NOTE

  

   A quick check for infection is to look for a process name starting

   with `NETW_'. This may be done with a SHOW PROCESS command.

  

   3. The program then changes the default DECNET account password to a

   random string of at least 12 characters.

  

   4. Information on the password used to access the system is mailed to

   the user GEMTOP on SPAN node 6.59. Some versions may have a different

   address.11

  

   5. The process changes its name to `NETW_' followed by a random

   number.

  

   6. It then checks to see if it has SYSNAM priv. If so, it defines the

   system announcement message to be the banner in the program:

 

          W O R M S    A G A I N S T    N U C L E A R    K I L L E R S

         _______________________________________________________________

         \__  ____________  _____    ________    ____  ____   __  _____/

          \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /

           \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /

            \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /

             \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/

              \___________________________________________________/

               \                                                 /

                \    Your System Has Been Officically WANKed    /

                 \_____________________________________________/

 

          You talk of times of peace for all, and then prepare for war.

  

   7. If it has SYSPRV, it disables mail to the SYSTEM account.

  

   8. If it has SYSPRV, it modifies the system login command procedure to

   APPEAR to delete all of a user's file. (It really does nothing.)

  

   9. The program then scans the account's logical name table for command

   procedures and tries to modify the FIELD account to a known password

   with login from any source and all privs. This is a primitive virus,

   but very effective IF it should get into a privileged account.

  

   10. It proceeds to attempt to access other systems by picking node

   numbers at random. It then uses PHONE to get a list of active users on

   the remote system. It proceeds to irritate them by using PHONE to ring

   them.

  

   11. The program then tries to access the RIGHTSLIST file and attempts

   to access some remote system using the users found and a list of

   `standard' users included within the worm. It looks for passwords

   which are the same as that of the account or are blank. It records all