________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ Information about a new version of the "WANK" worm October 30, 1989, 1615 PST Number A-4 This is a follow-up bulletin to CIAC advisory notices A-2 dated October 16, 1989 and notice A-3 dated October 20, 1989. These notices informed you about the "WANK" worm attacking HEPnet and the NASA SPAN network. The previous notices contained information on obtaining tools to combat this worm. The purpose of this notice is to inform you about a new version of this worm which has already attacked over 60 sites. The "WANK" worm is still attacking VAX/VMS systems connected via DECnet. The worm, however, has been modified somewhat. The method of attack is the same, except that this version calls its process OILZ_nnnn (where nnnn equals a random number string), instead of NETW_nnnn. Preliminary information indicates that this modified version of the worm changes passwords of any account into which it successfully enters, regardless of whether those accounts are privileged accounts. The tools described in CIAC advisory notice A-3 are effective against both the original "WANK" version and the new "OILZ" version of the worm. These tools may still be obtained by anonymous FTP access from node ROGUE.LLNL.GOV (128.115.2.99), or from SPAN and ESnet. In addition, CIAC again recommends sound password management to counter this new threat. If your site has been infected, if you observe unusual activity, or if you have any questions, please contact either of the following CIAC team members: David Brown, (415) 423-9878 or FTS 543-9878 or Gene Schultz, (415) 422-8193 or FTS 532-8193 or send electronic mail to:ciac@tiger.llnl.gov CIAC FAX: (415) 422-4294 FTS 532-4294 This notice has been sent to the following persons Alexander, D. (LANL) Allender, C. (Stone & Webster) Baker, A. (LANL CCS) Baker, D. (Richland Operations) Banda, M. (UC Medical Center) Barcysk, J. (Pinellas Area Office) Barnes, D. (Princeton Plasma Physics) Beck, C. (Argonne West) Berg, T. (SAN) Best, M.D. (Holmes & Narver) Breault, L. (DP-34) Brooks, S. (Boeing Petroleum) Brown, R. (EG&G Idaho) Bryan, F. (Naval Petroleum Reserve) Burkmar, W. (Computer Data Systems) Byrd, C. (Kansas City Area Office) Clouse, B. (Chicago Operations) Cole, C. (LLNL) Combs, T. (Allied-Signal) Cox, T. (Stanford Synchrotron) Craig, J. (Morgantown Energy) Cyganowski, W. (SAN) D'Andrea, R. (Grand Junction) Delmastro, A. (Pittsburgh Energy) Diel, J. (Inhalation Toxology Research) Dolven, L. (Rockwell INEL) Downing, D. (SLAC) Duncan, R. (Computer Data Systems) Eckerson, F. (Nevada Operations) Edmundson, C. (KMS Fusion) Elder, R. (Bettis) Endler, R. (Savannah River Operations) Faux-Burhans, D. (DP-34) Favaron, P. (Neutron Devices) Ference, J. (West Valley Nuclear Services) Ferguson, C. (Alaska Power Admin.) Fish, J. (Hanford Env't Health) Fluckinger, J.D. (PNL) Folkendt, S. (Sandia-Livermore) Fraser, G. (Rocky Flats) Fulton, J. (Westinghouse Ohio) Furner, K. (Kaiser Hanford) Gault, J. E. (Reynolds Electric) Glock, T. (Pittsburgh Naval Reactors) Gurth, R. (Westinghouse Hanford) Haldy, J. (Pittsburgh Naval Reactors) Hann, H. (Idaho Operations) Hardwick, R. (SAIC) Hercamp, A. (Bonneville Power) Herhold, J. (EG&G Nevada) Hileman, M. (EG&G Nevada) Hodder, N. (GA Technologies) Johnston, B. (PNL) Jones, D. C. (Sandia-Albuquerque) Jones, L. (Bonneville Power) Kauffman, S. (Naval Reactors) Kessler, H. R. (Albuquerque Operations) Kilcrease, L. (MSE) Klafke, J. (Albuquerque Operations) Kramer, J. (Chicago Operations) Kramer, K. (Chicago Operations) Madden, T. (Savannah River Operations) Marsden, L. (Westinghouse Idaho) McGrath, J. (KMS Fusion) Meadows, B. (SRP) Munyon, W. (Energy Technology Eng.) Neal, B. (Southeastern Power) Nicolayeff, N. (Idaho Operations) Niziol, E. (Oak Ridge Operations) O'Doherty, R. (Solar Energy Research) Oldis. P. (CSC) Orton, J. (Westinghouse Hanford) Parish, S. (Wackenhut) Penny, S. K. (ORNL) Pfister, J. (Fermi) Phillips, R. E. (Albuquerque Operations) Pielich, G. (Nuclear Fuel Services) Pohlig, P. (BNL) Provencher, D. (Schenectady) Przysucha, J. (MA-24) Purnell, R. (Southwestern Power) Richards, J. (Computer Data Systems) Rosenbloom, H. (LANL CCS) Runge, L. (BNL) Sanchez, A. (Stretegic Petroleum Reserves) Scharping, R. (Argonne) Schumann, M. (Rocky Flats Area Office) Shepherd, J. (DP-34) Shoop, D. (MSE) Sibert, P. (MA-24) Simms, G. S. (Pantex) Smith, B. (Boeing Petroleum) Sohnholz, R. (WAPA) Sorter, B. (EG&G Idaho) Stahl, T. (Computer Data Systems) Stevens, D. (LBL) Stollings, C. (Martin Marietta) Strazisar, A. (Pittsburgh Energy) Surface, R. (Albuquerque Operations) Terrell, R. (OSTI) Teska, R. G. (Kansas City Area Office) Tilton, L. (Dayton Area Office) Troyer, J. (Argonne) Warmoth, E. (EG&G Mound) Watson, B. (Oak Ridge Operations) Whyte, J. (Wackenhut) Wilson, W. (Sandia-Livermore) Zeilman, T. (Holmes & Narver) Zuyus, P. (Naval Petroleum Reserves)