spaf@CS.PURDUE.EDU (Gene Spafford) (10/17/89)
If you have not yet heard, another network worm incident is in
progress.
The following bits of information have been collected from multiple
sources. I am mailing this so that people don't tie up the phone
lines only to get the same information. The folks at SPAN & CERT
will issue a report when more details are known.
Please refer members of the press and other callers to the SPAN NIC @
(301) 286-7251. DO NOT have them call the CERT -- the folks there are
busy enough as is right now, and they won't respond to questions
without a need-to-know. The folks at DEC probably won't respond
either -- if you can find anyone who knows what it happening in this
incident. The folks at NASA will issue formal reports when appropriate.
The story so far:
Around 4:30 this morning, a worm program was found on machines in the
SPAN network. The worm is apparantly similar to the worm that hit
SPAN in December (on Christmas eve) in that it is spreading on Decnet
and affecting VMS systems. According to a few of the people I talked
with, it is not clear what the program is doing other than printing a
message labelling the program as "Worms Against Nuclear Killers" and
spreading to other machines. There are NO CONFIRMED reports at this
time that the worm is doing damage to machines or data. If the worm
is still spreading, it is spreading VERY slowly -- only about a half
dozen machines have been detected as infected (so far).
All of the appropriate authorities have been notified. CERT, DEC,
NASA, & various Federal agencies are involved. The problem is being
examined by experts in the area, and as soon as the situation is
clarified, a public report will be issued.
In the meantime, we can all help with the situation:
* DON'T PANIC -- it is limited in scope and machine type.
Unless you have a Decnet link to SPAN, your machine is in no
danger,
* Copies of the code are under analysis by experts, so fixes
are undoubtedly on the way. If you run Decnet and installed
the fixes last December, you are *probably* immune already.
* Don't call the CERT, DEC or SPAN about this -- they'll be sure
to release details when they are certain enough about them to be
sure that they won't cause problems.
* Refer any members of the press to the SPAN number. PLEASE be
careful what you say to members of the press -- remember that
the press doesn't understand the difference between DECnet, the
Internet, VMS, Unix, etc, and we don't need another media scare
about network invasions.
- --spaf