TUCoPS :: Antique Systems :: ciacb07.txt

CIAC # B07 BITNET Worm (VM/CMS)



        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin                      



                             BITNET Worm



November 5, 1990, 0800 PST                                  Number B-7



PROBLEM:  Self-replicating code (worm) on external BITNET RSCS systems

PLATFORM: IBM VM/CMS 

DAMAGE: May flood the mail queue of the infected computers

IMMUNIZATION:  RSCS filter program available from IBM at no cost

                      Critical BITNET Worm Facts



CIAC has been informed of a slow spreading worm on the external BITNET*

network that has affected IBM mainframe systems running the VM/CMS

operating system and the RSCS communications utility.   Preliminary

reports indicate that this worm was first detected in late October, and

that it spread for approximately one day.  The worm does not appear to

be spreading at this time, and we are aware of fewer than a dozen

systems penetrated by this worm so far.  This worm is readily

identified by its characteristics and poor coding style.  This bulletin

is to advise you that this worm may be released again sometime in the

future, possibly once the many coding errors that prevented a wider

spread are corrected.   This bulletin is also to inform you about a

filter program available from IBM to prevent against this and similar

security threats.



CHARACTERISTICS



The worm was initially named "TERM MODULE" and consisted of a REXX

program that displayed user nicknames on the user's screen.  It was

apparently modified to additionally perform the following functions:



a.  It attempts to copy itself to all users listed in the NAMES file of

the user executing the code.  Due to programming errors, this will be

effective for only about 50% of the user names.



b.  It sends a copy of the "ALL NOTEBOOK" back to the user.  This is

not necessarily harmful, but may fill up spool space on the affected

machine.



DETECTION



The worm is easily identified when it is run by displaying a

"pretty-printed" copy of the names file to the user's display

terminal.  (There is an IBM function designed to print a copy of a

user's names file in a more easily readable format, a "pretty-printed"

format.)  Since the IBM TERM command does not include this

functionality, this will be an easily identified anomaly.  In addition,

it must be EXECUTED by the user in order to replicate, specifically,

the user must must receive the worm file from the reader application

and then either type the command "EXEC TERM" or accidently execute the

code from the CP TERMINAL command.



COUNTERMEASURES



Sites running VM/CMS should install and use the RSCS filter program

(available free from IBM).  This filter program is called the selective

file filter, and was announced in the IBM VM Software Newsletter (WSC

Flash 9013).  Contact your local IBM representative for details.  This

program can scan for file names or file types, then place them into the

punch queue for later identification and analysis.  As a minimum level

of protection, all files with the name and type of "TERM MODULE"

should be examined prior to receipt by the user.  Sites which do not

routinely transmit compiled REXX code may wish to wildcard the filename

and scan for all files with a filetype of MODULE.  This may help to

protect against future versions of the worm that might have a different

file name.



It is EXTREMELY DOUBTFUL that the worm could execute on an MVS system.

Therefore, sites running the MVS operating system should not be

affected, even if they support the REXX language.  These sites,

however, may begin seeing copies of the worm (which should not execute)

if MVS users routinely receive files from affected machines.



We recommend that you also notify users that they should not receive

and execute any program without first browsing it or discussing its

operation with the sender.  The VM/CMS reader is designed to prevent

problems associated with executing unfamiliar programs, and should be

used for this purpose.  If you receive an unknown file with a filetype

of EXEC or MODULE,  immediately contact your computer security officer

for information and assistance.  Please also notify CIAC, as we wish to

track any spread of this worm.



For additional information or assistance, please contact CIAC



        Thomas A. Longstaff

        (415) 423-4416 or (FTS) 543-4416



        or call (415) 422-8193 or (FTS) 532-8193



        send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

___

 * BITNET is a communications network among universities and industries 

around the world.



Jim Molini of Computer Sciences Corporation supplied much of the

information contained in this bulletin.  Neither the United States

Government nor the University of California nor any of their employees,

makes any warranty,  expressed or implied, or assumes any legal

liability or responsibility for the accuracy, completeness, or

usefulness of any information, product, or process disclosed, or

represents that its use would not infringe privately owned rights.

Reference herein to any specific commercial products, process, or

service by trade name, trademark manufacturer, or otherwise, does not

necessarily constitute or imply its endorsement, recommendation, or

favoring by the United States Government or the University of

California.  The views and opinions of authors expressed herein do not

necessarily state or reflect those of the United States Government nor

the University of California, and shall not be used for advertising or

product endorsement purposes.




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH