b-12.ciac-bitnet-worm
8ab6ab93e5701e084d0bbc1e48990e47601bb3bb669455d5ecbbdd9ec45da3f8
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
GAME2 MODULE "Worm" on BITNET
January 18, 1991, 1200 PST Number B-12
Critical GAME2 MODULE Facts
PROBLEM: Self-replicating mail message (worm) on external BITNET RSCS systems
PLATFORM: IBM VM/CMS
DAMAGE: May flood the mail queue of the infected computers
IMMUNIZATION: RSCS filter program available from IBM (at no cost)
________________________________________________________________________
CIAC has been informed of a new self-replicating mail message
currently circulating around the external BITNET. Preliminary reports
indicate that this message, also known as a BITNET worm or trojan
horse, has been received on a number of IBM VM/CMS systems connecting
to the external BITNET. The worm consists of a message containing a
REXX module and instructions for saving and executing the module (with
the name GAME2) in a user's local a: drive. When executed, this
module will display a message on the screen as it sends copies of
itself to each entry in the user's CMS NAMES file.
Since this worm requires user initiation to spread, the rate of
expansion of this worm has been limited. However, there is the
potential to flood the mail queues of IBM VM/CMS systems if the worm
becomes widespread. The worm is similar in nature to the BITNET worm
described in CIAC bulletin B-7, and may be blocked using same RSCS
filter program described in that notice and available from IBM.
The worm was initially named "GAME2 MODULE" and consisted of a REXX
program that will display several messages (such as "Please
Waiting") and a simple Hello/Bye message. While these messages are
displayed, the REXX code will send a copy of the GAME2 MODULE to each
entry in the user's NAMES file.
COUNTERMEASURES
As mentioned in CIAC bulletin B-7, sites running VM/CMS should install
and use the RSCS filter program (available free from IBM). This
filter program is called the selective file filter, and was announced
in the IBM VM Software Newsletter (WSC Flash 9013). Contact your
local IBM representative for details. This program can scan for file
names or file types, then place them into the punch queue for later
identification and analysis. As a minimum level of protection, all
files with the name and type of "TERM MODULE" should be examined prior
to receipt by the user. Sites which do not routinely transmit
compiled REXX code may wish to wildcard the filename and scan for all
files with a filetype of MODULE. This may help to protect against
future versions of the worm that might have a different file name.
We recommend that you also notify users that they should neither
receive nor execute any program without first browsing it or
discussing its operation with the sender. The VM/CMS reader is
designed to prevent problems associated with executing unfamiliar
programs, and should be used for this purpose. If you receive an
unknown file with a filetype of EXEC or MODULE, immediately contact
your computer security officer for information and assistance. Please
also notify CIAC, as we wish to track any spread of this worm.
For additional information or assistance, please contact CIAC
Thomas A. Longstaff
(415) 423-4416 or (FTS) 543-4416
During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193.
For non-working hour emergencies , call (415) 422-7222 or (FTS)
532-7222 and ask for CIAC (this is a new emergency number) send FAX
messages to: (415) 423-0913 or (FTS) 543-0913
___
* BITNET is a communications network among industries and universities around the world.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.