Father Christmas (computer worm)


The Father Christmas worm, also known as the HI.COM VMS worm, was a computer worm that used the DECnet to attack VAX/VMS systems. It was released in December 1988. The aim of this worm was to send a Christmas greeting from "Father Christmas" from the affected system.

History

At around 17:00 EST on December 22, 1988, a worm was detected on the Space Physics Analysis Network. This was a NASA network on the DECnet Internet with many connections to other networks such as HEPnet. The majority of the computers on SPAN were VAX computers operating VAX/VMS software. The worm originated from a computer on the DECnet in Switzerland by a person using the multi-user login name PHSOLIDE. The infection was thought to have spread to more than 6,000 computer nodes.
On December 23, an email went out to warn SPAN centre managers that a worm had been released onto SPAN. The purpose of the worm was to create a file entitled "Hi.com" prior to December 24. At half past midnight on that day, it was designed to send out a message from Father Christmas to all users on the local rights database for each network. It exclusively targeted VAX/VMS systems, but it did not perform any other actions than sending that message. One recommended strategy to prevent infection at the time was to create an empty "Hi.com" file which would stop the worm from being able to create a new version of the same file. It was subsequently estimated that only 2% of infected devices launched the worm.
The Father Christmas worm had the effect of strengthening security measures on SPAN and the DECnet Internet. This was proved on January 13, 1989, when a nearly identical worm was released into the Easynet intranet. The network manager was able to quickly prevent the spread of the worm because of the exposure of the Father Christmas worm from the previous month.