_____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin       

                                   

                    GAME2 MODULE "Worm" on BITNET

                                   

January 18, 1991, 1200 PST                                      Number B-12



                     Critical GAME2 MODULE Facts



PROBLEM:  Self-replicating mail message (worm) on external BITNET RSCS systems

PLATFORM: IBM VM/CMS 

DAMAGE: May flood the mail queue of the infected computers

IMMUNIZATION:  RSCS filter program available from IBM (at no cost)

________________________________________________________________________



CIAC has been informed of a new self-replicating mail message

currently circulating around the external BITNET.  Preliminary reports

indicate that this message, also known as a BITNET worm or trojan

horse, has been received on a number of IBM VM/CMS systems connecting

to the external BITNET.  The worm consists of a message containing a

REXX module and instructions for saving and executing the module (with

the name GAME2) in a user's local a: drive.  When executed, this

module will display a message on the screen as it sends copies of

itself to each entry in the user's CMS NAMES file.



Since this worm requires user initiation to spread, the rate of

expansion of this worm has been limited.  However, there is the

potential to flood the mail queues of IBM VM/CMS systems if the worm

becomes widespread.  The worm is similar in nature to the BITNET worm

described in CIAC bulletin B-7, and may be blocked using same RSCS

filter program described in that notice and available from IBM.

 

The worm was initially named "GAME2 MODULE" and consisted of a REXX

program that will display several messages (such as "Please

Waiting") and a simple Hello/Bye message.  While these messages are

displayed, the REXX code will send a copy of the GAME2 MODULE to each

entry in the user's NAMES file.

  

COUNTERMEASURES



As mentioned in CIAC bulletin B-7, sites running VM/CMS should install

and use the RSCS filter program (available free from IBM).  This

filter program is called the selective file filter, and was announced

in the IBM VM Software Newsletter (WSC Flash 9013).  Contact your

local IBM representative for details.  This program can scan for file

names or file types, then place them into the punch queue for later

identification and analysis.  As a minimum level of protection, all

files with the name and type of "TERM MODULE" should be examined prior

to receipt by the user.  Sites which do not routinely transmit

compiled REXX code may wish to wildcard the filename and scan for all

files with a filetype of MODULE.  This may help to protect against

future versions of the worm that might have a different file name.



We recommend that you also notify users that they should neither

receive nor execute any program without first browsing it or

discussing its operation with the sender.  The VM/CMS reader is

designed to prevent problems associated with executing unfamiliar

programs, and should be used for this purpose.  If you receive an

unknown file with a filetype of EXEC or MODULE, immediately contact

your computer security officer for information and assistance.  Please

also notify CIAC, as we wish to track any spread of this worm.

 

For additional information or assistance, please contact CIAC



        Thomas A. Longstaff

        (415) 423-4416 or (FTS) 543-4416



During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193.

For non-working hour emergencies , call (415) 422-7222 or (FTS)

532-7222 and ask for CIAC (this is a new emergency number) send FAX

messages to: (415) 423-0913 or (FTS) 543-0913

___

* BITNET is a communications network among industries and universities around the world.   

 

Neither the United States Government nor the University of California

nor any of their employees, makes any warranty, expressed or implied,

or assumes any legal liability or responsibility for the accuracy,

completeness, or usefulness of any information, product, or process

disclosed, or represents that its use would not infringe privately

owned rights.  Reference herein to any specific commercial products,

process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the

University of California.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government nor the University of California, and shall not be used for

advertising or product endorsement purposes.



CIAC BULLETINS ISSUED



SUN 386i authentication bypass vulnerability

nVIR virus alert

/dev/mem vulnerability

tftp/rwalld vulnerability

"Little Black Box" (Jerusalem) virus alert

restore/dump vulnerability

rcp/rdist vulnerability

Internet trojan horse alert

NCSA Telnet vulnerability

Columbus Day (DataCrime) virus alert

Columbus Day (DataCrime) virus alert (follow-up notice)

Internet hacker alert (notice A-1)

HEPnet/SPAN network worm alert (notice A-2)

HEPnet/SPAN network worm alert (follow-up, notice A-3)

HEPnet/SPAN network worm alert (follow-up, notice A-4)

rcp vulnerability (second vulnerability, notice A-5)

Trojan horse in Norton Utilities (notice A-6)

UNICOS vulnerability (limited distribution, notice A-7)

UNICOS problem (limited distribution, notice A-8)

WDEF virus alert (notice A-9)

PC CYBORG (AIDS) trojan horse alert (notice A-10)

Problem in the Texas Instruments D3 Process Control System  (notice A-11)

DECnet hacker attack alert (notice A-12)

Vulnerability in DECODE alias (notice A-13)

Additional information on the vulnerability in the UNIX DECODE alias  (notice A-14)

Virus information update (notice A-15)

Vulnerability in SUN sendmail program (notice A-16)

Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17)

Notice of availability of patch for SmarTerm 240 (notice A-18)

UNIX Internet Attack Advisory (notice A-19)

The Twelve Tricks Trojan Horse (notice A-20)

Additional information on Current UNIX Internet Attacks (notice A-21)

Logon Messages and Hacker/Cracker Attacks (notice A-22)

New Internet Attacks (notice A-23)

Password Problems with  Unisys U5000 /etc/passwd  (notice A-24)

The MDEF or Garfield Virus on Macintosh Computers (notice A-25)

A New Macintosh Trojan Horse Threat--STEROID (notice A-26)

The Disk Killer (Ogre) Virus on MS DOS Computers (notice A-27)

The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers (notice A-28)

The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers (notice A-29)

Apollo Domain/OS suid_exec Problem (notice A-30)

DECnet (Wollongong) Hacker Activity (notice A-31)

SunView/SunTools selection_svc Vulnerability (notice A-32)

Virus Propagation in Novell and Other Networks (notice A-33)

End of FY90 Update (notice A-34)

Security Problems on the NeXT Operating System (notice B-1)

Unix Security Problem with Silicon Graphics Mail (notice B-2)

Threat to Computers on ESnet (notice B-3)

VMS Security Problem with ANALYZE/PROCESS_DUMP (notice B-4)

HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem (notice B-5)

Additional VMS/DECnet Attacks (notice B-6)

BITNET Worm (notice B-7)

Detection/Eradication Procedures for VMSCRTL Trojan Horse (notice B-8)

Update on Internet Activity (notice B-9)

Patch for TOCCON in SunOS 4.1 and 4.1.1 Available (notice B-10)

OpenWindows 2.0 selection_svc Vulnerability  (notice B-11)

GAME2 MODULE "Worm" on BITNET (notice B-12)