|
CIAC Advisory number A- 4
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
ADVISORY NOTICE
________________________________________________________________
Information about a new version of the "WANK" worm
October 30, 1989, 1615 PST
Number A-4
This is a follow-up bulletin to CIAC advisory notices A-2 dated
October 16, 1989 and notice A-3 dated October 20, 1989. These
notices informed you about the "WANK" worm attacking HEPnet and
the NASA SPAN network. The previous notices contained
information on obtaining tools to combat this worm. The purpose
of this notice is to inform you about a new version of this worm
which has already attacked over 60 sites.
The "WANK" worm is still attacking VAX/VMS systems connected
via DECnet. The worm, however, has been modified somewhat. The
method of attack is the same, except that this version calls its
process OILZ_nnnn (where nnnn equals a random number string),
instead of NETW_nnnn. Preliminary information indicates that
this modified version of the worm changes passwords of any
account into which it successfully enters, regardless of whether
those accounts are privileged accounts.
The tools described in CIAC advisory notice A-3 are effective
against both the original "WANK" version and the new "OILZ"
version of the worm. These tools may still be obtained by
anonymous FTP access from node ROGUE.LLNL.GOV (128.115.2.99), or
from SPAN and ESnet. In addition, CIAC again recommends sound
password management to counter this new threat.
If your site has been infected, if you observe unusual activity,
or if you have any questions, please contact either of the
following CIAC team members:
David Brown, (415) 423-9878 or FTS 543-9878
or
Gene Schultz, (415) 422-8193 or FTS 532-8193
or send electronic mail to:[email protected]
CIAC FAX: (415) 422-4294 FTS 532-4294
This notice has been sent to the following persons
Alexander, D. (LANL)
Allender, C. (Stone & Webster)
Baker, A. (LANL CCS)
Baker, D. (Richland Operations)
Banda, M. (UC Medical Center)
Barcysk, J. (Pinellas Area Office)
Barnes, D. (Princeton Plasma Physics)
Beck, C. (Argonne West)
Berg, T. (SAN)
Best, M.D. (Holmes & Narver)
Breault, L. (DP-34)
Brooks, S. (Boeing Petroleum)
Brown, R. (EG&G Idaho)
Bryan, F. (Naval Petroleum Reserve)
Burkmar, W. (Computer Data Systems)
Byrd, C. (Kansas City Area Office)
Clouse, B. (Chicago Operations)
Cole, C. (LLNL)
Combs, T. (Allied-Signal)
Cox, T. (Stanford Synchrotron)
Craig, J. (Morgantown Energy)
Cyganowski, W. (SAN)
D'Andrea, R. (Grand Junction)
Delmastro, A. (Pittsburgh Energy)
Diel, J. (Inhalation Toxology Research)
Dolven, L. (Rockwell INEL)
Downing, D. (SLAC)
Duncan, R. (Computer Data Systems)
Eckerson, F. (Nevada Operations)
Edmundson, C. (KMS Fusion)
Elder, R. (Bettis)
Endler, R. (Savannah River Operations)
Faux-Burhans, D. (DP-34)
Favaron, P. (Neutron Devices)
Ference, J. (West Valley Nuclear Services)
Ferguson, C. (Alaska Power Admin.)
Fish, J. (Hanford Env't Health)
Fluckinger, J.D. (PNL)
Folkendt, S. (Sandia-Livermore)
Fraser, G. (Rocky Flats)
Fulton, J. (Westinghouse Ohio)
Furner, K. (Kaiser Hanford)
Gault, J. E. (Reynolds Electric)
Glock, T. (Pittsburgh Naval Reactors)
Gurth, R. (Westinghouse Hanford)
Haldy, J. (Pittsburgh Naval Reactors)
Hann, H. (Idaho Operations)
Hardwick, R. (SAIC)
Hercamp, A. (Bonneville Power)
Herhold, J. (EG&G Nevada)
Hileman, M. (EG&G Nevada)
Hodder, N. (GA Technologies)
Johnston, B. (PNL)
Jones, D. C. (Sandia-Albuquerque)
Jones, L. (Bonneville Power)
Kauffman, S. (Naval Reactors)
Kessler, H. R. (Albuquerque Operations)
Kilcrease, L. (MSE)
Klafke, J. (Albuquerque Operations)
Kramer, J. (Chicago Operations)
Kramer, K. (Chicago Operations)
Madden, T. (Savannah River Operations)
Marsden, L. (Westinghouse Idaho)
McGrath, J. (KMS Fusion)
Meadows, B. (SRP)
Munyon, W. (Energy Technology Eng.)
Neal, B. (Southeastern Power)
Nicolayeff, N. (Idaho Operations)
Niziol, E. (Oak Ridge Operations)
O'Doherty, R. (Solar Energy Research)
Oldis. P. (CSC)
Orton, J. (Westinghouse Hanford)
Parish, S. (Wackenhut)
Penny, S. K. (ORNL)
Pfister, J. (Fermi)
Phillips, R. E. (Albuquerque Operations)
Pielich, G. (Nuclear Fuel Services)
Pohlig, P. (BNL)
Provencher, D. (Schenectady)
Przysucha, J. (MA-24)
Purnell, R. (Southwestern Power)
Richards, J. (Computer Data Systems)
Rosenbloom, H. (LANL CCS)
Runge, L. (BNL)
Sanchez, A. (Stretegic Petroleum Reserves)
Scharping, R. (Argonne)
Schumann, M. (Rocky Flats Area Office)
Shepherd, J. (DP-34)
Shoop, D. (MSE)
Sibert, P. (MA-24)
Simms, G. S. (Pantex)
Smith, B. (Boeing Petroleum)
Sohnholz, R. (WAPA)
Sorter, B. (EG&G Idaho)
Stahl, T. (Computer Data Systems)
Stevens, D. (LBL)
Stollings, C. (Martin Marietta)
Strazisar, A. (Pittsburgh Energy)
Surface, R. (Albuquerque Operations)
Terrell, R. (OSTI)
Teska, R. G. (Kansas City Area Office)
Tilton, L. (Dayton Area Office)
Troyer, J. (Argonne)
Warmoth, E. (EG&G Mound)
Watson, B. (Oak Ridge Operations)
Whyte, J. (Wackenhut)
Wilson, W. (Sandia-Livermore)
Zeilman, T. (Holmes & Narver)
Zuyus, P. (Naval Petroleum Reserves)
|
|
