If your site could be affected please call CIAC for more details…

Report on the W.COM worm.

R. Kevin Oberman

Engineering Department

Lawrence Livermore National Laboratory

October 16, 1989

The following describes the action of the W.COM worm (currently based on the examination of the first two incarnations). The replication technique causes the code to be modified slightly which indicates the source of the attack and learned information.

All analysis was done with more haste than I care for, but I believe I have all of the basic facts correct. First a description of the program:

1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write, Execute, and Delete).

2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of `NETW_'. If such is found, it deletes itself (the file) and stops its process.