RFC 1135 (rfc1135) - Page 2 of 33
Helminthiasis of the Internet
Alternative Format: Original Text Document
RFC 1135 The Helminthiasis of the Internet December 1989 A "virus" is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. In the early stages of the helminthiasis, the news media popularly cited the Internet worm to be a "virus", which was attributed to an early conclusion of some in the computer community before a specimen of the worm could be extracted and dissected. There are some computer scientists that still argue over what to call the affliction. In this RFC, we use the term, "worm". 1.1 Infection - The Worm Attacks The worm specifically and only made successful attacks on SUN workstations and VAXes running Berkeley UNIX code. The Internet worm relied on the several known access loopholes in order to propagate over networks. It relied on implementation errors in two network programs: sendmail and fingerd. Sendmail is a program that implements the Internet's electronic mail services (routing and delivery) interacting with remote sites [1, 2]. The feature in sendmail that was violated was a non- standard "debug" command. The worm propagated itself via the debug command into remote hosts. As the worm installed itself in a new host the new instance began self-replicating. Fingerd is a utility program that is intended to help remote Internet users by supplying public information about other Internet users. This can be in the form of identification of the full name of, or login name of any local user, whether or not they are logged in at the time (see the Finger Protocol [3]). Using fingerd, the worm initiated a memory overflow situation by sending too many characters for fingerd to accommodate (in the gets library routine). Upon overflowing the storage space, the worm was able to execute a small arbitrary program. Only 4.3BSD VAX machines suffered from this attack. Another of the worm's methods was to exploit the "trusted host features" often used in local networks to propagate (using rexec and rsh). It also infected machines in /etc/hosts.equiv, machines in /.rhosts, machines in cracked accounts' .forward files, machines cracked accounts' .rhosts files, machines listed as network gateways in routing tables, machines at the far end of point-to- Reynolds
