davidf@cs.heriot-watt.ac.uk (David.J.Ferbrache) (09/13/90)
A quick warning that an almost identical copy of the original Christmas Exec
has been posted to the USENET news group Alt.hackers. The originating site
path is as follows:
rutgers->edu.utexas->edu.uwm->edu.uiuc->edu.ksu->edu.uiowa->ns-mx
-> uunet
For your information I enclose a copy of a warning note submitted at the
time of the original chain letter incident:
Christmas chain letter
======================
It's name was CHRISTMA EXEC . I forgot its file size, and have kept no
log of it.
It consisted of a single program in the REXX language, which has been
available in the VM/SP operating system (for IBM mainframes) since
Release 3. (The REXX language is also available under MS-DOS for
IBM-PC, -XT, and -AT, and it is announced for the mainframe operating
system MVS/TSO-E; but for reasons given below, I reckon the virus could
reproduce itself only under VM/SP.)
The source of CHRISTMA EXEC (with REXX, there isn't anything as an object
code file) started with a lore of say-instructions, that apparently would
display a sketch of a Christmas-tree together with some good wishes on
the screen. This bunch of (in fact rather boring) statements filled one
and a half screens; it was followed by a half-screen-sized comment,
stating roughly "Reading source-code like this is boring, rather RECEIVE
this program, and just enter CHRISTMA" (the latter CMS command would
have started the program).
When you actually started the thing (I didn't do it, but people told me),
the program indeed displayed a Christmas-Tree and best wishes for the
year to come. Then it read two files, CMS (part of VM/SP) maintains on
behalf of every user.
The first one is called <userid> NETLOG, and contains a log of network
traffic the user has been involved in. Here is a sample entry of my
personal RZOTTO NETLOG file ("disc" meaning "discarded", and "from"
pointing to the sender's address):
File CHRISTMA EXEC A1 disc from RZBERAT1 at DKNKURZ1 on 12/16/87 14:34:4
4
sent as CHRISTMA EXEC A1
The NETLOG file contains similar entries for notes and files having been
sent by the respective user (me, in the example).
The second one is called <userid> NAMES and contains sort of private
directory of people you are in correspondence with. Here are four
sample entries of my private RZOTTO NAMES file:
:nick.VIRUS-L :userid.VIRUS-L :node.LEHIIBM1 :notebook.VIRUS-L
:name.Virus Discussion List
:nick.VIRUS :name. Owners of VIRUS-L :notebook. VIRUS-L
:list. KenVWyk Eshleman
:nick.KenVWyk :userid.LUKEN :node.LEHIIBM1 :name.Ken Van Wyk
:nick.Eshleman :userid.LUJCE :node.LEHIIBM1 :name.Jim Eshleman
CHRISMA EXEC extracted all network addresses from these two files, and
sent a copy of itself to every of these addresses except the address,
from where it came to the current user (thus avoiding the ping-pong
effect). The poor victim's very next experience: he received replies
from thousands of BITNET nodes, telling him where the hundreds of
CHRISTMA copies went.
At last, CHRISTMA EXEC destroyed its own source on the user's disk.
As CHRISTMA EXEC relied on one of the two special CMS files, it probably
could reproduce itself only in VM/SP systems (I don't know, how net-
working is implemented under TSO or under MS-DOS). Furthermore, it
depended on active help of the user being "infected" to reproduce itself:
he had to enter two commands, RECEIVE and CHRISTMA. This active help was
provoked by an appeal on peoples curiousity and playfulness.
In spite of these two handicaps, CHRISTMA EXEC spread within two days,
worldwide. The effect was enhanced, as some copies went to BITNET
discussion lists, where they automatically were duplicated and distribu-
ted as any sensible contribution will be. If I remember correctly (and
if I can trust rumours), it originated (as a student's joke) somewhere in
Germany, went through USA, and came back to our blessed country from the
far east. It's severest effect was obstructing the whole network with
thousands of copies of itself.
The cure was very simple: every node had to run a quickly developped
program that purged every file of name CHRISTMA EXEC from the node's
spooling area, the only difficulty being the distribution of this
"macrophage" program through the helplessly overloaded network. Even
without this cure, CHRISTMA would probably be extinct by now, as any user
seeing it for the second time would have discarded the file, remembering
the traumatic experience of the first time, when he started that thing.
Thus by now, BITNET is probably "immune" to this virus.
The moral of the story:
1. read and understand programs you receive without having asked for,
before you run them.
2. Think about the possible results before starting a practical joke.
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 538
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ
- ------------------------------------------------------------------------------