Copy Link
Add to Bookmark
Report
CIAC B-12
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
GAME2 MODULE "Worm" on BITNET
January 18, 1991, 1200 PST Number B-12
Critical GAME2 MODULE Facts
PROBLEM: Self-replicating mail message (worm) on external BITNET RSCS systems
PLATFORM: IBM VM/CMS
DAMAGE: May flood the mail queue of the infected computers
IMMUNIZATION: RSCS filter program available from IBM (at no cost)
________________________________________________________________________
CIAC has been informed of a new self-replicating mail message
currently circulating around the external BITNET. Preliminary reports
indicate that this message, also known as a BITNET worm or trojan
horse, has been received on a number of IBM VM/CMS systems connecting
to the external BITNET. The worm consists of a message containing a
REXX module and instructions for saving and executing the module (with
the name GAME2) in a user's local a: drive. When executed, this
module will display a message on the screen as it sends copies of
itself to each entry in the user's CMS NAMES file.
Since this worm requires user initiation to spread, the rate of
expansion of this worm has been limited. However, there is the
potential to flood the mail queues of IBM VM/CMS systems if the worm
becomes widespread. The worm is similar in nature to the BITNET worm
described in CIAC bulletin B-7, and may be blocked using same RSCS
filter program described in that notice and available from IBM.
The worm was initially named "GAME2 MODULE" and consisted of a REXX
program that will display several messages (such as "Please
Waiting") and a simple Hello/Bye message. While these messages are
displayed, the REXX code will send a copy of the GAME2 MODULE to each
entry in the user's NAMES file.
COUNTERMEASURES
As mentioned in CIAC bulletin B-7, sites running VM/CMS should install
and use the RSCS filter program (available free from IBM). This
filter program is called the selective file filter, and was announced
in the IBM VM Software Newsletter (WSC Flash 9013). Contact your
local IBM representative for details. This program can scan for file
names or file types, then place them into the punch queue for later
identification and analysis. As a minimum level of protection, all
files with the name and type of "TERM MODULE" should be examined prior
to receipt by the user. Sites which do not routinely transmit
compiled REXX code may wish to wildcard the filename and scan for all
files with a filetype of MODULE. This may help to protect against
future versions of the worm that might have a different file name.
We recommend that you also notify users that they should neither
receive nor execute any program without first browsing it or
discussing its operation with the sender. The VM/CMS reader is
designed to prevent problems associated with executing unfamiliar
programs, and should be used for this purpose. If you receive an
unknown file with a filetype of EXEC or MODULE, immediately contact
your computer security officer for information and assistance. Please
also notify CIAC, as we wish to track any spread of this worm.
For additional information or assistance, please contact CIAC
Thomas A. Longstaff
(415) 423-4416 or (FTS) 543-4416
During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193.
For non-working hour emergencies , call (415) 422-7222 or (FTS)
532-7222 and ask for CIAC (this is a new emergency number) send FAX
messages to: (415) 423-0913 or (FTS) 543-0913
___
* BITNET is a communications network among industries and universities around the world.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
CIAC BULLETINS ISSUED
SUN 386i authentication bypass vulnerability
nVIR virus alert
/dev/mem vulnerability
tftp/rwalld vulnerability
"Little Black Box" (Jerusalem) virus alert
restore/dump vulnerability
rcp/rdist vulnerability
Internet trojan horse alert
NCSA Telnet vulnerability
Columbus Day (DataCrime) virus alert
Columbus Day (DataCrime) virus alert (follow-up notice)
Internet hacker alert (notice A-1)
HEPnet/SPAN network worm alert (notice A-2)
HEPnet/SPAN network worm alert (follow-up, notice A-3)
HEPnet/SPAN network worm alert (follow-up, notice A-4)
rcp vulnerability (second vulnerability, notice A-5)
Trojan horse in Norton Utilities (notice A-6)
UNICOS vulnerability (limited distribution, notice A-7)
UNICOS problem (limited distribution, notice A-8)
WDEF virus alert (notice A-9)
PC CYBORG (AIDS) trojan horse alert (notice A-10)
Problem in the Texas Instruments D3 Process Control System (notice A-11)
DECnet hacker attack alert (notice A-12)
Vulnerability in DECODE alias (notice A-13)
Additional information on the vulnerability in the UNIX DECODE alias (notice A-14)
Virus information update (notice A-15)
Vulnerability in SUN sendmail program (notice A-16)
Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17)
Notice of availability of patch for SmarTerm 240 (notice A-18)
UNIX Internet Attack Advisory (notice A-19)
The Twelve Tricks Trojan Horse (notice A-20)
Additional information on Current UNIX Internet Attacks (notice A-21)
Logon Messages and Hacker/Cracker Attacks (notice A-22)
New Internet Attacks (notice A-23)
Password Problems with Unisys U5000 /etc/passwd (notice A-24)
The MDEF or Garfield Virus on Macintosh Computers (notice A-25)
A New Macintosh Trojan Horse Threat--STEROID (notice A-26)
The Disk Killer (Ogre) Virus on MS DOS Computers (notice A-27)
The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers (notice A-28)
The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers (notice A-29)
Apollo Domain/OS suid_exec Problem (notice A-30)
DECnet (Wollongong) Hacker Activity (notice A-31)
SunView/SunTools selection_svc Vulnerability (notice A-32)
Virus Propagation in Novell and Other Networks (notice A-33)
End of FY90 Update (notice A-34)
Security Problems on the NeXT Operating System (notice B-1)
Unix Security Problem with Silicon Graphics Mail (notice B-2)
Threat to Computers on ESnet (notice B-3)
VMS Security Problem with ANALYZE/PROCESS_DUMP (notice B-4)
HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem (notice B-5)
Additional VMS/DECnet Attacks (notice B-6)
BITNET Worm (notice B-7)
Detection/Eradication Procedures for VMSCRTL Trojan Horse (notice B-8)
Update on Internet Activity (notice B-9)
Patch for TOCCON in SunOS 4.1 and 4.1.1 Available (notice B-10)
OpenWindows 2.0 selection_svc Vulnerability (notice B-11)
GAME2 MODULE "Worm" on BITNET (notice B-12)
