| Alias: | CHRISTMA.EXEC (G1/G2) Chain Letter |
| Strain: | CHRISTMA.EXEC Chain Letter |
| detected when: | 1st generation (G1) December 9, 1987 |
| where: | Spreading from University Clausthal-Zellerfeld, |
| Classification: | Chain Letter, written in Control Language "REXX" (interprete |
| Length: | REXX Code: about 102 lines/3 kBytes |
Preconditions | |
| Operating System(s): | IBM mainframe VM/CMS |
| Version/Release: | -- |
| Computer model(s): | IBM mainframes: /370, 3080/3090, ES8900, ES9000 |
| Caroname: | Christmas_Exec |
Attributes | |
| Easy identification: | The following text is placed at the start of the REXX program CHRISTMA.EXEC: Text #1: "/*********************/ /* LET THIS EXEC */ /* */ /* RUN */ /* */ /* AND */ /* */ /* ENJOY */ /* */ /* YOURSELF! */ /*********************/" Text #2: "SAY ' * ' SAY ' * ' SAY ' **** ' SAY ' ******** ' SAY ' ************ ' SAY ' **************** A' SAY ' ******** ' SAY ' ************ VERY' SAY ' **************** ' SAY ' ******************** HAPPY' SAY ' *********** ' SAY ' *************** CHRISTMAS' SAY ' ******************* ' SAY ' *********************** AND MY' SAY ' *************** ' SAY ' ******************* BEST WHISHES' SAY ' *********************** ' SAY ' *************************** FOR THE NEXT' SAY ' ****** ' SAY ' ****** YEAR' SAY ' ****** ' /* browsing this file is no fun at all just type CHRISTMAS from cms */" |
Type of Infection: | Copying file to another user within network (not RELAY). |
| Infection Technique: | |
| Infection Trigger: | Execution of CHRISMA.EXEC in January and December of years before 1989. |
| Storage Media affected: | Files which were sent to someone are stored in the reader of the recipient. |
| Interrupts hooked: | -- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: No intended damage of data or programs. Transient Damage: 1) A "welcome" text and achristmas tree is displayed on screen (see Easy Identifica- tion: text #1/#2). 2) File CHRISTMA.EXEC is sent to all addresses found in NAMES file and to those found in NETLOG file with the action "SENT", where it is stored in recipient's reader. 3) System overload: as Christma.EXEC propagated rather fast, it made heavy use of memory, CPU and disk storage, thereby significantly degrading the attacked system's performance. |
| Damage Trigger: | Execution of Program CHRISTMA.EXEC in January and December of years before 1989. |
| Particularities: | 1) CHRISTMA.EXEC generation 1 (basis of this ana- lysis) did not delete itself after execution. In international discussions, a 2nd generation of CHRISTMA.EXEC was described which deletes itself after execution. 2) As several network attacks on other system plat- forms (though not all), this attack was written in a high level interpretative system language (REXX). |
| Similarities: | Based on the methods of CHRISTMA.EXEC, a signifi- cantly changed Chain Letter ZEBRATEL.EXEC was detected, in winter 1992/1993, in Greece but was not reported to spread widely. |
Agents | |
| Countermeasures: | Filtering software in IBM network nodes (VNET) detect name string "CHRISTMA.EXEC" in data area of transfer protocol. Moreover, VNET fil- ters generally invert suffixes EXEC to CEXE; therefore, a chainletter attack will only be successful if some user changes file extension back into EXEC and executes such file, without prior analysis. |
| Standard means: | Browse incoming file |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Wolfram Schmidt, Klaus Brunnstein |
| Documentation by: | Wolfram Schmidt, Klaus Brunnstein |
| Date: | 31-July-1993 |
| Information Source: | Reverse-Analysis of REXX code |
(c) 1996 Virus-Test-Center, University of Hamburg