_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin GAME2 MODULE "Worm" on BITNET January 18, 1991, 1200 PST Number B-12 Critical GAME2 MODULE Facts PROBLEM: Self-replicating mail message (worm) on external BITNET RSCS systems PLATFORM: IBM VM/CMS DAMAGE: May flood the mail queue of the infected computers IMMUNIZATION: RSCS filter program available from IBM (at no cost) ________________________________________________________________________ CIAC has been informed of a new self-replicating mail message currently circulating around the external BITNET. Preliminary reports indicate that this message, also known as a BITNET worm or trojan horse, has been received on a number of IBM VM/CMS systems connecting to the external BITNET. The worm consists of a message containing a REXX module and instructions for saving and executing the module (with the name GAME2) in a user's local a: drive. When executed, this module will display a message on the screen as it sends copies of itself to each entry in the user's CMS NAMES file. Since this worm requires user initiation to spread, the rate of expansion of this worm has been limited. However, there is the potential to flood the mail queues of IBM VM/CMS systems if the worm becomes widespread. The worm is similar in nature to the BITNET worm described in CIAC bulletin B-7, and may be blocked using same RSCS filter program described in that notice and available from IBM. The worm was initially named "GAME2 MODULE" and consisted of a REXX program that will display several messages (such as "Please Waiting") and a simple Hello/Bye message. While these messages are displayed, the REXX code will send a copy of the GAME2 MODULE to each entry in the user's NAMES file. COUNTERMEASURES As mentioned in CIAC bulletin B-7, sites running VM/CMS should install and use the RSCS filter program (available free from IBM). This filter program is called the selective file filter, and was announced in the IBM VM Software Newsletter (WSC Flash 9013). Contact your local IBM representative for details. This program can scan for file names or file types, then place them into the punch queue for later identification and analysis. As a minimum level of protection, all files with the name and type of "TERM MODULE" should be examined prior to receipt by the user. Sites which do not routinely transmit compiled REXX code may wish to wildcard the filename and scan for all files with a filetype of MODULE. This may help to protect against future versions of the worm that might have a different file name. We recommend that you also notify users that they should neither receive nor execute any program without first browsing it or discussing its operation with the sender. The VM/CMS reader is designed to prevent problems associated with executing unfamiliar programs, and should be used for this purpose. If you receive an unknown file with a filetype of EXEC or MODULE, immediately contact your computer security officer for information and assistance. Please also notify CIAC, as we wish to track any spread of this worm. For additional information or assistance, please contact CIAC Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies , call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new emergency number) send FAX messages to: (415) 423-0913 or (FTS) 543-0913 ___ * BITNET is a communications network among industries and universities around the world. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.