76476.337@CompuServe.COM (Robert McClenon) (11/04/90)
A program named TERM MODULE was just identified in this magazine
as being a "worm" being distributed to VM sites on the Bitnet. I have
two comments. First, it appears that the malicious aspect to TERM is
identical to the malicious aspect to the infamous CHRISTMA EXEC. In
each case the program uses a NAMES list to disseminate copies of
itself to multiple users on the same or other nodes after it is
invoked by an unsuspecting user. Based on the description of TERM, I
would assume that it is a copy-cat based on CHRISTMA.
Second, TERM MODULE and CHRISTMA EXEC belong to a previously
unidentified subspecies of malicious programs, which are hybrids
between Trojan horses as usually defined and worms as usually defined.
Like Trojan horses, they must be invoked by an unsuspecting user to be
activated. Like worms, they propogate copies of themselves via a
network, and cause damage by clogging the network (in these cases, the
VM spool) with multiple copies of themselves. One could consider
either of them to be a Trojan horse which contains a worm as its
payload and whose malicious agenda is the release of the worm.
Stand-alone worms, such as the Morris Internet worm, rely on
vulnerabilities in the network to propogate themselves, such as by
subverting a network server or network daemon. Trojan worms rely on
invocation by an unsuspecting user. They are more dangerous than
conventional Trojan horses because they disseminate themselves without
secondary human action. They are less dangerous than stand-alone
worms because they require primary human action for activation.
Robert McClenon
Neither my employer nor anyone else paid me to say this.