13. If a priv. account is found, the program is copied to that account and started. If no priv. account was found, it is copied to other accounts found on the random system.
14. As soon as it finishes with a system, it picks another random system and repeats (forever).
Response:
1. The following program will block the worm. Extract the following code and execute it. It will use minimal resources. It creates a process named NETW_BLOCK which will prevent the worm from running.
Editors note: This fix will work only with this version of the worm.
Mutated worms will require modification of this code; however, this program should prevent the worm from running long enough to secure your system from the worms attacks.13
—-
McMahon's version of an anti-WANK program was also ready to go by late Monday, but he would face delays getting it out to NASA. Working inside NASA was a balancing act, a delicate ballet demanding exquisite choreography between getting the job done, following official procedures and avoiding steps which might tread on senior bureaucrats' toes. It was several days before NASA's anti-WANK program was officially released.
DOE was not without its share of problems in launching the anti-WANK program and advisory across HEPNET. At 5.04 p.m. Pacific Coast Time on 17 October, as Oberman put the final touches on the last paragraph of his final report on the worm, the floor beneath his feet began to shake. The building was trembling. Kevin Oberman was in the middle of the 1989 San Francisco earthquake.
Measuring 7.1 on the Richter scale, the Loma Prieta earthquake ripped through the greater San Francisco area with savage speed. Inside the computer lab, Oberman braced himself for the worst. Once the shaking stopped and he ascertained the computer centre was still standing, he sat back down at his terminal. With the PA blaring warnings for all non-essential personnel to leave the building immediately, Oberman rushed off the last sentence of the report. He paused and then added a postscript saying that if the paragraph didn't make sense, it was because he was a little rattled by the large earthquake which had just hit Lawrence Livermore Labs. He pressed the key, sent out his final anti-WANK report and fled the building.
Back on the east coast, the SPAN office continued to help people calling from NASA sites which had been hit. The list of sites which had reported worm-related problems grew steadily during the week. Official estimates on the scope of the WANK worm attack were vague, but trade journals such as Network World and Computerworld quoted the space agency as suffering only a small number of successful worm invasions, perhaps 60 VMS-based computers. SPAN security manager Ron Tencati estimated only 20 successful worm penetrations in the NASA part of SPAN's network, but another internal estimate put the figure much higher: 250 to 300 machines. Each of those computers might have had 100 or more users. Figures were sketchy, but virtually everyone on the network—all 270000 computer accounts—had been affected by the worm, either because their part of the network had been pulled off-line or because their machines had been harassed by the WANK worm as it tried again and again to login from an infected machine. By the end of the worm attack, the SPAN office had accumulated a list of affected sites which ran over two columns on several computer screens. Each of them had lodged some form of complaint about the worm.
Also by the end of the crisis, NASA and DOE computer network managers had their choice of vaccines, antidotes and blood tests for the WANK worm. McMahon had released ANTIWANK.COM, a program which killed the worm and vaccinated a system against further attacks, and WORM-INFO.TEXT, which provided a list of worm-infestation symptoms. Oberman's program, called [.SECURITY]CHECK_SYSTEM.COM, checked for all the security flaws used by the worm to sneak into a computer system. DEC also had a patch to cover the security hole in the DECNET account.
Whatever the real number of infected machines, the worm had certainly
circumnavigated the globe. It had reach into European sites, such as
CERN—formerly known as the European Centre for Nuclear Research—in
Switzerland, through to Goddard's computers in Maryland, on to
Fermilab in Chicago and propelled itself across the Pacific into the
Riken Accelerator Facility in Japan.14
NASA officials told the media they believed the worm had been launched
about 4.30 a.m. on Monday, 16 October.15 They also believed it had
originated in Europe, possibly in France.
Wednesday, 18 October 1989
Kennedy Space Center, Florida
The five-member Atlantis had some bad news on Wednesday morning. The weather forecasters gave the launch site a 40 per cent chance of launch guideline-violating rain and cloud. And then there was the earthquake in California.
The Kennedy Space Center wasn't the only place which had to be in tip-top working order for a launch to go ahead. The launch depended on many sites far away from Florida. These included Edwards Air Force Base in California, where the shuttle was due to land on Monday. They also included other sites, often military bases, which were essential for shuttle tracking and other mission support. One of these sites was a tracking station at Onizuka Air Force Base at Sunnyvale, California. The earthquake which ripped through the Bay area had damaged the tracking station and senior NASA decision-makers planned to meet on Wednesday morning to consider the Sunnyvale situation. Still, the space agency maintained a calm, cool exterior. Regardless of the technical problems, the court challenges and the protesters, the whimsical weather, the natural disasters, and the WANK worm, NASA was still in control of the situation.
`There's been some damage, but we don't know how much. The sense I get is it's fairly positive,' a NASA spokesman told UPI. `But there are some problems.'16 In Washington, Pentagon spokesman Rick Oborn reassured the public again, `They are going to be able to handle shuttle tracking and support for the mission … They will be able to do their job'.17
Atlantis waited, ready to go, at launchpad 39B. The technicians had filled the shuttle up with rocket fuel and it looked as if the weather might hold. It was partly cloudy, but conditions at Kennedy passed muster.
The astronauts boarded the shuttle. Everything was in place.
But while the weather was acceptable in Florida, it was causing some problems in Africa, the site of an emergency landing location. If it wasn't one thing, it was another. NASA ordered a four-minute delay.
Finally at 12.54 p.m., Atlantis boomed from its launchpad. Rising up from the Kennedy Center, streaking a trail of twin flames from its huge solid-fuel boosters, the shuttle reached above the atmosphere and into space.
At 7.15 p.m., exactly 6 hours and 21 minutes after lift-off, Galileo began its solo journey into space. And at 8.15 p.m., Galileo's booster ignited.
Inside shuttle mission control, NASA spokesman Brian Welch announced,
`The spacecraft Galileo … has achieved Earth escape velocity'.18
Monday, 30 October 1989
NASA's Goddard Space Flight Center, Greenbelt, Maryland
The week starting 16 October had been a long one for the SPAN team. They were keeping twelve-hour days and dealing with hysterical people all day long. Still, they managed to get copies of anti-WANK out, despite the limitations of the dated SPAN records and the paucity of good logs allowing them to retrace the worm's path. `What we learned that week was just how much data is not collected,' McMahon observed.
By Friday, 20 October, there were no new reports of worm attacks. It looked as though the crisis had passed. Things could be tidied up by the rest of the SPAN team and McMahon returned to his own work.
A week passed. All the while, though, McMahon was on edge. He doubted that someone who had gone to all that trouble of creating the WANK worm would let his baby be exterminated so quickly. The decoy-duck strategy only worked as long as the worm kept the same process name, and as long as it was programmed not to activate itself on systems which were already infected. Change the process name, or teach the worm to not to suicide, and the SPAN team would face another, larger problem. John McMahon had an instinct about the worm; it might just be back.
His instinct was right.
The following Monday, McMahon received another phone call from the
SPAN project office. When he poked his head in his boss's office,
Jerome Bennett looked up from his desk.
