spaf@CS.PURDUE.EDU (Gene Spafford) (10/17/89)
If you have not yet heard, another network worm incident is in progress. The following bits of information have been collected from multiple sources. I am mailing this so that people don't tie up the phone lines only to get the same information. The folks at SPAN & CERT will issue a report when more details are known. Please refer members of the press and other callers to the SPAN NIC @ (301) 286-7251. DO NOT have them call the CERT -- the folks there are busy enough as is right now, and they won't respond to questions without a need-to-know. The folks at DEC probably won't respond either -- if you can find anyone who knows what it happening in this incident. The folks at NASA will issue formal reports when appropriate. The story so far: Around 4:30 this morning, a worm program was found on machines in the SPAN network. The worm is apparantly similar to the worm that hit SPAN in December (on Christmas eve) in that it is spreading on Decnet and affecting VMS systems. According to a few of the people I talked with, it is not clear what the program is doing other than printing a message labelling the program as "Worms Against Nuclear Killers" and spreading to other machines. There are NO CONFIRMED reports at this time that the worm is doing damage to machines or data. If the worm is still spreading, it is spreading VERY slowly -- only about a half dozen machines have been detected as infected (so far). All of the appropriate authorities have been notified. CERT, DEC, NASA, & various Federal agencies are involved. The problem is being examined by experts in the area, and as soon as the situation is clarified, a public report will be issued. In the meantime, we can all help with the situation: * DON'T PANIC -- it is limited in scope and machine type. Unless you have a Decnet link to SPAN, your machine is in no danger, * Copies of the code are under analysis by experts, so fixes are undoubtedly on the way. If you run Decnet and installed the fixes last December, you are *probably* immune already. * Don't call the CERT, DEC or SPAN about this -- they'll be sure to release details when they are certain enough about them to be sure that they won't cause problems. * Refer any members of the press to the SPAN number. PLEASE be careful what you say to members of the press -- remember that the press doesn't understand the difference between DECnet, the Internet, VMS, Unix, etc, and we don't need another media scare about network invasions. - --spaf