The Father Christmas worm, also known as the HI.COM VMS worm, was a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wi ...
that used the
DECnet
DECnet is a suite of network protocols created by Digital Equipment Corporation. Originally released in 1975 in order to connect two PDP-11 minicomputers, it evolved into one of the first peer-to-peer network architectures, thus transforming DEC ...
to attack
VAX/VMS
OpenVMS, often referred to as just VMS, is a multi-user, multiprocessing and virtual memory-based operating system. It is designed to support time-sharing, batch processing, transaction processing and workstation applications. Customers using Ope ...
systems. It was released in December 1988. The aim of this worm was to send a Christmas greeting from "
Father Christmas
Father Christmas is the traditional English name for the personification of Christmas. Although now known as a Christmas gift-bringer, and typically considered to be synonymous with Santa Claus, he was originally part of a much older and unrela ...
" from the affected system.
History
At around 17:00
EST on December 22, 1988, a worm was detected on the Space Physics Analysis Network (SPAN). This was a
NASA
The National Aeronautics and Space Administration (NASA ) is an independent agency of the US federal government responsible for the civil space program, aeronautics research, and space research.
NASA was established in 1958, succeedi ...
network on the
DECnet Internet with many connections to other networks such as
HEPnet
HEPnet or the High-Energy Physics Network is a telecommunications network for researchers in high-energy physics. It originated in the United States, but that has spread to most places involved in such research. Well-known sites include Argonne ...
. The majority of the computers on SPAN were
VAX
VAX (an acronym for Virtual Address eXtension) is a series of computers featuring a 32-bit instruction set architecture (ISA) and virtual memory that was developed and sold by Digital Equipment Corporation (DEC) in the late 20th century. The V ...
computers running the VAX/VMS
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. The worm originated from a computer on the DECnet in Switzerland by a person using the multi-user login name PHSOLIDE. The infection was thought to have spread to more than 6,000 computer nodes.
On December 23, an email went out to warn SPAN centre managers that a worm had been released onto SPAN.
[ The purpose of the worm was to create a file entitled "Hi.com" prior to December 24. At half past midnight on that day, it was designed to send out a message from Father Christmas to all users on the local rights database for each network. It exclusively targeted VAX/VMS systems,][ Nazario (2004): p. 41] but it did not perform any other actions than sending that message. One recommended strategy to prevent infection at the time was to create an empty "Hi.com" file which would stop the worm from being able to create a new version of the same file.[ Nazario (2004): p. 42] It was subsequently estimated that only 2% of infected devices launched the worm.
The Father Christmas worm had the effect of strengthening security measures on SPAN and the DECnet Internet. This was proved on January 13, 1989, when a nearly identical worm was released into the Easynet intranet. The network manager was able to quickly prevent the spread of the worm because of the exposure of the Father Christmas worm from the previous month.[ Green & Sissons (1989): p. 8]
See also
* WANK worm
Notes
References
*
*
External links
"official 'Father Christmas' Worm Report"
{{Hacking in the 1980s
Computer worms
Hacking in the 1980s