Strain:Father Christmas (HI.COM)
detected when:16-October-1989
where:NASA, USA


Operating System(s):VMS systems
Computer model(s):VAX (DEC)


Easy identification:Of the worm: A quick check for infection is to look for a process name starting with "NETW_". of the dropped virus: Any modified file will contain the line: $ oldsyso=f$trnlnm("SYS$OUTPUT")

Type of Infection:

Once the worm has successfully intruded one host system it will infect .COM files and create new security vulnerabilities. It broadcasts these vulerabilities to the outside world.

Infection Technique:The worm tries to attack NASA via VAX/VMS systems connected to DECnet. It may spread to other systems such as DOE's HEPnet. The worm targets only DEC VMS systems ( not DEC UNIX, ULTRIX etc.) and can only be propagated via DECnet protocols, not via TCP/IP protocols. If a VMS system had other network connections, the worm didn't take advantage of those connections.
Infection Trigger:
Storage Media affected:all mounted directories to which the owner of the worm process has full access rights (rwed)
Interrupts hooked:The worm exploits two features of DECnet/VMS in order to propagate itself: (1) Attacking Identity: The default DECnet account: This is a facility for users who don't have a specific login ID for a machine to provide some degree of anonymous access. The worm uses the default DECnet account to copy itself to a machine, and then uses the "TASK 0" features of DECnet to invoke the remote copy. (2) Attacking Authenticity: Attacking passwords: It has several other features including a brute force attack on passwords.
Oligo/Polymorphism:* creates a new account * spreads to other systems via DECnet * serious security holes are left open by this worm. ( Description of the WANK worm by R. Kevin Oberman, of Lawrence Livermore National Laboratory ) 1) The worm assures that it is working in a directory to which tho owner has full access rights (Read, Write, Execute, Delete). 2) The program then changes the default DECnet account password to a random string of at least 12 characters. 3) Information on the password used to access the system is mailed to the user GEMTOP on SPAN node 6.59. Some versions of the worm may have a different address. 4) The process changes its name to "NETW_" followed by a random number. 5) The worm then scans the account's logical name table for command procedures and tries to modify the FIELD account to a known password with login from any source and all privileges. 6) It proceeds to attempt to access other systems by picking node numbers at random. It then used PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them. 7) The worm then tries to access the RIGHTSLIST.DAT file and attempts to access some remote system using the users found and a list of 'standard' users included within the worm. It looks for passwords which are the same as that of the account or are blank. Ti record all such accounts. 8) It looks for an account that has access to SYSUAF.DAT. 9) If a privileged account is found, the program is copied to that account and started. If no privileged account was found, it is copied to other accounts found on the random system. 10) As soon as it finishes with a system, it picks another random system and repeats (forever).
Encoding Method:The worm looks for a process with the first 5 characters of "NETW_". If such a process is found, it deletes itself (the file) and stops its process.
Damage:The worm may also damage files, either unintentionally or otherwise. It wastes resources and may result in denial of service by locking out priviliged users or causing non-infected nodes to consume disk space storing all the audit records from the failed access attemps. It then checks to see if it has SYSNAM privileges. If so, it defines the system announcement message (SYS$ANNOUNCE) to be the banner in the program: W O R M A G A I N S T N U C L E A R K I L L E R S ______________________________________________________________ \__ ____________ _____ _______ ___ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \___| |__\ | |____| |_\ \_/ \__________________________________________________/ \ / \ Your System Has Been Officially WANKed / \____________________________________________/ You talk of times of peace for all, and then prpare for war. If it has SYSPRV privileges, it disables mail to the SYSTEM account. If it has SYSPRV privileges, it modifies the system login command procedure to 'appear' to delete all of a user's file. (It really does nothing.)
Damage Trigger:The privileges of the running process will cause a specific activity
Similarities:The WANK worm is very similar to the HI.COM (or Father Christmas) worm. Known Versions: At least two versions of this worm exists and more may be created.


Countermeasures:* On 16th October 1989 CIAC (The Computer Incident Advisory Capability ) distributed an advisory notice with a DCL program that would block the current version of the worm (NETW_BLOCK). On 17th October 1989 CERT/CC (Computer Emergency Respons Team) distributed a CERT advisory with a correction of this DCL program. * Check all passwords. Make sure that all accounts have password and that the passwords are not the account name. * If the operation system is VMS V5.x, get a copy of SYS$UPDATE:NETCONFIG_UPDATE.COM from V5.2 system and run it. * If the operating system is V4.x, change the username and password for the network object "FAL". * Scan the system for the dropped virus. * Change the FIELD account
Standard means:


Location:Virus Test Center, University of Hamburg, Germany
Classification by:Wolfram Schmidt
Documentation by:Wolfram Schmidt
Information Source:(1) CIAC advisory notice, 16-October-1989 (2) CERT Advisory,

(c) 1996 Virus-Test-Center, University of Hamburg