Fandom

Malware Wiki

Father Christmas

1,321pages on
this wiki
Add New Page
Comments0 Share

Father Christmas was an early worm that had a run through the early DECNet Internet only a few days before Christmas in 1988. It appeared less than two months after the Morris worm.





BehaviorEdit

The worm, a file named HI.COM, copies itself from one DECNET node to another. The worm on the infecting node attempts to run the copy of itself on the target node, either by Task Object 0, a program that allows task-to-task jobs to be run between two computer systems, or by using DECNET as both a username and password. If it is unable to run the copy on the target system, it will delete the HI.COM file on the target system.

If the infection is successful, HI.COM will load into the memory. It will use the process name MAIL_178DC and delete the HI.COM file. The worm then sends a SYS$ANNOUNCE banner to 20597::PHSOLIDE. The worm then checks the system clock. If the date is past 1988.12.24 at 00:00 and before 00:30, it creates a list of all users on the system sends an email to them. If it is past 00:30, the worm will simply stop executing.

The message will look something like this:

  From:   NODE::Father Christmas     24-DEC-1988  00:00
  To:  You...
  Subj:   Christmas Card.
  
  Hi,
  
  How are ya ? I had a hard time preparing all the  presents.  It
  isn't quite an easy job. I'm getting more and more letters from
  the children every year and it's not so easy to get the terrible
  Rambo-Guns, Tanks and Space Ships up here at the 
  Northpole. But now the good part is coming.  Distributing all 
  the presents with my sleigh and the deers is real fun. When I
  slide down the chimneys I often find a little present offered by
  the children, or even a little Brandy from the father.  (Yeah!) 
  Anyhow the chimneys are getting tighter and tighter every 
  year. I think I'll have to put my diet on again.  And after
  
  Christmas I've got my big holidays :-).
  
  Now stop computing and have a good time at home !!!!
  
  Merry Christmas
  and a happy New Year
  
  Your  Father Christmas

In searching for a new system to infect, Father Christmas generates a random number. If the number is 0 or anything greater than 63*1024, the worm generates a new number. When a number fitting its specifications is found, it will send a copy of HI.COM to the new target.

The worm will not replicate after 1988.12.24 00:00.

EffectsEdit

The worm was only able to execute on a few systems. About 6,000 systems were reported to have received the HI.COM file, but less than 2% actually executed the the worm.

Other FactsEdit

Father Christmas was released at the University of Neuchatel in Switzerland on 1988.12.22 at 21:52, Swiss time (20:52. GMT, or 16:52 Eastern United States time). It reached the Goddard Space Flight Center, located in a suburb of Washington DC, around 17:00, 8 minutes after being released.

The creator was never found. Several different people had access to the account PHSOLIDE, which sent the worm. An investigation determined that all logins to the account were valid, while some coming through the terminal server were suspect. The creator likely released the worm on campus.

The .com in the HI.COM file is not the same as that of a DOS executable. A DOS .com is a binary, while .com in this case is a DCL script file.

SourcesEdit

Pat Sisson, SPAN Security. "FATHER CHRISTMAS" WORM REPORT. 1989.02.06

Patricia L. Sisson, James L. Green. "The Father Christmas Worm". 1989 June

VX Heavens. Viruses for the "Exotic" Platforms, "Father Christmas" (HI.COM)

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.