8. If it has SYSPRV, it modifies the system login command procedure to APPEAR to delete all of a user's file. (It really does nothing.)

9. The program then scans the account's logical name table for command procedures and tries to modify the FIELD account to a known password with login from any source and all privs. This is a primitive virus, but very effective IF it should get into a privileged account.

10. It proceeds to attempt to access other systems by picking node numbers at random. It then uses PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them.

11. The program then tries to access the RIGHTSLIST file and attempts to access some remote system using the users found and a list of `standard' users included within the worm. It looks for passwords which are the same as that of the account or are blank. It records all such accounts.

12. It looks for an account that has access to SYSUAF.DAT.

13. If a priv. account is found, the program is copied to that account and started. If no priv. account was found, it is copied to other accounts found on the random system.

14. As soon as it finishes with a system, it picks another random system and repeats (forever).

Response:

1. The following program will block the worm. Extract the following code and execute it. It will use minimal resources. It creates a process named NETW_BLOCK which will prevent the worm from running.

Editors note: This fix will work only with this version of the worm.