Christmas Tree EXEC
{{short description|First widely disruptive computer worm}}
{{Needs more citations|date=March 2021}}
{{Infobox software
| name = Christmas Tree EXEC
| screenshot =
| screenshot size =
| caption =
| other_names = CHRISTMA EXEC, CHRISTMAS EXEC
| released = December 1987
| genre = Computer worm, malware, trojan horse
| programming language = REXX
| author = Unknown Clausthal University of Technology student
| platform = IBM System/370
}}
Christmas Tree EXEC was the first widely disruptive computer worm, which paralyzed several international computer networks in December 1987.{{cite web |url=https://www.youtube.com/watch?v=kNm-b1UXGTY |archive-url=https://ghostarchive.org/varchive/youtube/20211221/kNm-b1UXGTY |archive-date=2021-12-21 |url-status=live|type=video |author=Tom Scott |author-link=Tom Scott (entertainer)|title=A Christmas Computer Bug, and the Future of Files |date=2015-12-21 |publisher=YouTube |access-date=2017-11-05}}{{cbignore}} The virus ran on the IBM VM/CMS operating system.
Written by a student at the Clausthal University of Technology in the REXX scripting language, it drew a crude Christmas tree as text graphics, then sent itself to each entry in the target's email contacts file. In this way it spread onto the European Academic Research Network (EARN), BITNET, and IBM's worldwide VNET. On all of these systems it caused massive disruption.
The core mechanism of the ILOVEYOU worm of 2000 was essentially the same as Christmas Tree, although it ran on PCs rather than mainframes, was spread over a different network, and was scripted using VBScript rather than REXX.
Operation
The program displays this message, and then forwards itself to mailbox addresses contained in the user's address file.{{cite web|url=http://vxheaven.org/exotic.php |archive-url=https://web.archive.org/web/20130806063008/http://vxheaven.org/exotic.php |url-status=dead |archive-date=2013-08-06 |title=Viruses for the 'Exotic' Platforms (VX heaven) |date=c. 2004}}
*
*
***
*****
*******
*********
************* A
*******
*********** VERY
***************
******************* HAPPY
***********
*************** CHRISTMAS
*******************
*********************** AND MY
***************
******************* BEST WISHES
***********************
*************************** FOR THE NEXT
******
****** YEAR
******
Details
The name was actually "CHRISTMA EXEC" because on IBM VM systems of the time, a file was identified by an eight character file name and an eight character file type. The customary file type for a REXX program is "EXEC" and command shells assume that file type by default. In text, the file name and file type were often written together as two words. The name of this worm is sometimes written as the more natural "CHRISTMAS EXEC" by mistake.
The worm would read the user's contact list (the CMS NAMES file), and transmit the worm to every address in it using the SENDFILE program (On these networks, one could send files per se, in addition to email; there was in fact no way to attach a file to an email). Users who received the program could see from the EXEC file type that it was an executable program, and with no history of malicious worms then existing, users would often receive the program and run it just out of curiosity. Some users would read the REXX code first and see comments at the top telling them it is a fun Christmas card for them to run. The text there went so far as to discourage the reader from trying to read the code, saying it would be more fun just to run it and see what it does.
Some versions of the worm had concealed code. The actual executable part of the worm was contained in several overly long lines (more than 80 characters) that were not visible unless the user scrolled the screen to the right. The IBM 3279 color terminal would display the Christmas tree with some blinking colored characters (asterisks) to represent tree lights.
See also
References
{{Reflist}}
Further reading
- {{cite book |first=Ralf |last=Burger |title=Computer viruses – a high tech disease |publisher=Abacus/Data Becker GmbH |year=1988 |isbn=1-55755-043-3 |page=[https://archive.org/details/computervirusesh0000burg/page/276 276] |url=https://archive.org/details/computervirusesh0000burg/page/276 |url-access=registration }}
- {{cite journal |last1=Capek| first1=P.G. |last2=Chess | first2= D.M. | last3 = White | first3 = S.R. |last4 = Fedeli | first4 = A. |title=Merry Christma: An Early Network Worm |journal=IEEE Security & Privacy |year=2003 | issue = 5 | volume = 1 | doi = 10.1109/MSECP.2003.1236232 | pages = 26–34}}
- {{cite mailing list |url=http://securitydigest.org/rutgers/mirror/pyrite.rutgers.edu/christmas.exec |title=Re: BITNET Security |date=March 4, 1988 |first=Will |last=Martin |mailing-list=Security Digest |access-date=October 30, 2008 |archive-url=https://web.archive.org/web/20060925015504/http://securitydigest.org/rutgers/mirror/pyrite.rutgers.edu/christmas.exec |archive-date=September 25, 2006 |url-status=live}}
- {{cite mailing list |url=http://catless.ncl.ac.uk/Risks/5.80.html#subj1.1 |title=Re: IBM Christmas Virus | first=Ross |last=Patterson |mailing-list=RISKS Digest |date=December 21, 1987 |access-date=October 30, 2008}}
- {{cite web|url=http://vx.netlux.org/exotic.php |title=Viruses for the "Exotic" Platforms |work=VX Heaven |date=c. 2004|archive-url=https://web.archive.org/web/20080917175424/http://vx.netlux.org/exotic.php |archive-date=September 17, 2008 |url-status=dead }}
External links
- [https://archive.today/20130903155523/http://vxheaven.org/dl/exp/CHRISTMAS Source code] (archived)
{{Hacking in the 1980s}}