_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin BITNET Worm November 5, 1990, 0800 PST Number B-7 PROBLEM: Self-replicating code (worm) on external BITNET RSCS systems PLATFORM: IBM VM/CMS DAMAGE: May flood the mail queue of the infected computers IMMUNIZATION: RSCS filter program available from IBM at no cost Critical BITNET Worm Facts CIAC has been informed of a slow spreading worm on the external BITNET* network that has affected IBM mainframe systems running the VM/CMS operating system and the RSCS communications utility. Preliminary reports indicate that this worm was first detected in late October, and that it spread for approximately one day. The worm does not appear to be spreading at this time, and we are aware of fewer than a dozen systems penetrated by this worm so far. This worm is readily identified by its characteristics and poor coding style. This bulletin is to advise you that this worm may be released again sometime in the future, possibly once the many coding errors that prevented a wider spread are corrected. This bulletin is also to inform you about a filter program available from IBM to prevent against this and similar security threats. CHARACTERISTICS The worm was initially named "TERM MODULE" and consisted of a REXX program that displayed user nicknames on the user's screen. It was apparently modified to additionally perform the following functions: a. It attempts to copy itself to all users listed in the NAMES file of the user executing the code. Due to programming errors, this will be effective for only about 50% of the user names. b. It sends a copy of the "ALL NOTEBOOK" back to the user. This is not necessarily harmful, but may fill up spool space on the affected machine. DETECTION The worm is easily identified when it is run by displaying a "pretty-printed" copy of the names file to the user's display terminal. (There is an IBM function designed to print a copy of a user's names file in a more easily readable format, a "pretty-printed" format.) Since the IBM TERM command does not include this functionality, this will be an easily identified anomaly. In addition, it must be EXECUTED by the user in order to replicate, specifically, the user must must receive the worm file from the reader application and then either type the command "EXEC TERM" or accidently execute the code from the CP TERMINAL command. COUNTERMEASURES Sites running VM/CMS should install and use the RSCS filter program (available free from IBM). This filter program is called the selective file filter, and was announced in the IBM VM Software Newsletter (WSC Flash 9013). Contact your local IBM representative for details. This program can scan for file names or file types, then place them into the punch queue for later identification and analysis. As a minimum level of protection, all files with the name and type of "TERM MODULE" should be examined prior to receipt by the user. Sites which do not routinely transmit compiled REXX code may wish to wildcard the filename and scan for all files with a filetype of MODULE. This may help to protect against future versions of the worm that might have a different file name. It is EXTREMELY DOUBTFUL that the worm could execute on an MVS system. Therefore, sites running the MVS operating system should not be affected, even if they support the REXX language. These sites, however, may begin seeing copies of the worm (which should not execute) if MVS users routinely receive files from affected machines. We recommend that you also notify users that they should not receive and execute any program without first browsing it or discussing its operation with the sender. The VM/CMS reader is designed to prevent problems associated with executing unfamiliar programs, and should be used for this purpose. If you receive an unknown file with a filetype of EXEC or MODULE, immediately contact your computer security officer for information and assistance. Please also notify CIAC, as we wish to track any spread of this worm. For additional information or assistance, please contact CIAC Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 or call (415) 422-8193 or (FTS) 532-8193 send FAX messages to: (415) 423-0913 or (FTS) 543-0913 ___ * BITNET is a communications network among universities and industries around the world. Jim Molini of Computer Sciences Corporation supplied much of the information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.