[comp.virus] Bitnet Worm spotted...

VALDIS@VTVM1.CC.VT.EDU (Valdis Kletnieks) (10/30/90)

For the joy and edification of those who track such things, I'd like to
report that a verified worm has been spotted on Bitnet.

Known Salient Points:

The filename/filetype is "TERM MODULE".  In the spool area, it is 42 records
long.  On a minidisk, it is 3 records, recfm V, lrecl 2904.  The datestamp
on the copy I received for analysis is 10/08/90 05:57

The program started as a Rexx exec to "pretty-print" the CP QUERY NAMES
command with nicknames, etc.

Some (as yet unidentified) clown then added code to do the following:
(a) it sends a copy of itself to everybody in your NAMES file
(b) It sends a copy of 'ALL NOTEBOOK' to yourself (kind of pointless..)

It was then fed into a program to convert it to MODULE format.
The MODULE is apparently just a "front end" to the Rexx interpreter -
there is no readily visible "dangerous" code. I will be completing a
disassembly of the module header shortly, but do not expect any suprises.
If I find any, I will post a followup...

Due to stylistic differences, I am convinced that the programmers for
parts (1) and (2/3) are different people.

The date on the MODULE is 10/08/90, and there haven't been many sightings
that I know of.  Apparently, it hasn't reached "critical mass" on the
network yet.

                                  Valdis Kletnieks
                                  Computer Systems Engineer
                                  Virginia Polytechnic Institute

PDS2@PSUVM.PSU.EDU (Paul D. Shan) (11/02/90)

I was unfortunate enough to execute this worm.  I still have a copy in
a very benign state so I can look at it.  I got it from someone in
Canada who inturn got it from someone in Turkey.  Fortunately I had
someone originally from Cyprus look at the program and try to decipher
some of the language in it.  It indeed is Turkish, and it says "This
EXEC shows the terminals in the terminal room and the library."  The
program seems to be copyrighted, since there is a message "(c) nihat
dinc id=oyo8904" in it.  oyo8904 is an ID which is consistent with the
UserID "structure" of TREARN.  My guess is that someone took a valid
program, hacked it to pieces, assembled/compiled it and sent it out.
Since the original language is Turkish, I also assume that the
original worm came from there.

Well, this is what my little piece of digging came up with.  Anyone
else have some evidence?

Paul D. Shan
Microcomputer and Personal Workstation Support
Center for Academic Computing
12 Willard Building
University Park, PA  16802
(814) 863-4356
PDS2@PSUVM.psu.edu