JOHNSON_RJ@CUBLDR.COLORADO.EDU (Richard Johnson) (10/17/89)
PLEASE NOTIFY ALL YOUR SITES...THERE IS A WORM ON THE LOOSE WITHIN THE
DECNET INTERNET
What we know:
It is called W.COM and moves by generating psuedo random node numbers.
It contains a set of default names like SYSTEM, FIELD, etc, it gets more
user names from rightslist.dat and apparently (we don't know for sure)
tries username = password to gain access.
It attempts to access your node via both the default DECnet account/TASK 0 and
a list of 81 canned userid's
If successful on your node, it will change the passwords of accounts it
has broken into and attempt to start up a batch job to continue its quest.
It runs AUTHORIZE and generates a listing of your usernames. To this
list, it appends 81 other userid's it will try. It then tries to
penetrate each account in it's list using both a null password and the
userid as the password. If an account is penetrated then the worm runs
under the penetrated account and do the following:
o submit a batch job to attack other nodes
o changes the user's password
o sends a confirmation banner to a central node
What you can do quickly to protect yourself:
- -- disable TASK 0 if you have it running
- -- make sure that the DECnet account's UAF record does not have access to
BATCH
- -- make sure that the DECnet account UAF record has /PRCLM=1 set
- -- protect SYS$SYSTEM:AUTHORIZE.EXE so that WORLD has NO access
- -- Create an empty W.COM;32767 in the DECnet Default account and protect
- -- WATCH FOR PROCESSES BEGINNING WITH "NETW_"
- -- Use "NCP> SHOW KNOWN LINKS" command to show your connections, then
verify your "local users" to ensure that they are not running in BATCH
mode - if so, it's a possible penetration.
*NOTE THESE MEASURES DO NOT PROTECT AGAINST USERS WHO HAVE THEIR PASSWORDS THE
SAME AS THEIR USERID'S.
More details to follow.
Ron Tencati
SPAN Security Manager
(301)286-7251