JOHNSON_RJ@CUBLDR.COLORADO.EDU (Richard Johnson) (10/17/89)
PLEASE NOTIFY ALL YOUR SITES...THERE IS A WORM ON THE LOOSE WITHIN THE DECNET INTERNET What we know: It is called W.COM and moves by generating psuedo random node numbers. It contains a set of default names like SYSTEM, FIELD, etc, it gets more user names from rightslist.dat and apparently (we don't know for sure) tries username = password to gain access. It attempts to access your node via both the default DECnet account/TASK 0 and a list of 81 canned userid's If successful on your node, it will change the passwords of accounts it has broken into and attempt to start up a batch job to continue its quest. It runs AUTHORIZE and generates a listing of your usernames. To this list, it appends 81 other userid's it will try. It then tries to penetrate each account in it's list using both a null password and the userid as the password. If an account is penetrated then the worm runs under the penetrated account and do the following: o submit a batch job to attack other nodes o changes the user's password o sends a confirmation banner to a central node What you can do quickly to protect yourself: - -- disable TASK 0 if you have it running - -- make sure that the DECnet account's UAF record does not have access to BATCH - -- make sure that the DECnet account UAF record has /PRCLM=1 set - -- protect SYS$SYSTEM:AUTHORIZE.EXE so that WORLD has NO access - -- Create an empty W.COM;32767 in the DECnet Default account and protect - -- WATCH FOR PROCESSES BEGINNING WITH "NETW_" - -- Use "NCP> SHOW KNOWN LINKS" command to show your connections, then verify your "local users" to ensure that they are not running in BATCH mode - if so, it's a possible penetration. *NOTE THESE MEASURES DO NOT PROTECT AGAINST USERS WHO HAVE THEIR PASSWORDS THE SAME AS THEIR USERID'S. More details to follow. Ron Tencati SPAN Security Manager (301)286-7251