Wikia

Virus Information

Christmas tree

Talk0
228pages on
this wiki
Christmas Tree
Type Mass-mailer worm
Creator
Date Discovered 1987.12.09
Place of Origin Clausthal-Zellerfeld, Germany
Source Language REXX
Platform REXX on VM
File Type(s) EXEC
Infection Length 2,479 bytes
Reported Costs

Christmas Tree was an early mass-mailing worm coded in late 1987, whose most prominent feature was an ASCII art Christmas tree. Christmas Tree was the first program to paralyse a network and hilight the need to educate computer users about the dangers of opening strange email attachments.

BehaviorEdit

The program arrives in an email with the subject line "Let this exec run and enjoy yourself!". The user must execute the program by typing christma or christmas. When executed, Christmas Tree displays an ASCII Christmas tree. It then reads the files NAMES and NETLOG, files containing the addresses of communication partners, and mails itself to every email address in them.

Bitnet nodes send a message back to the sender for every file that passes through them. Depending on how many nodes a single copy of the worm passed through until it reached its destination computer, it could generate from one to twenty messages on the sender's screen. With many copies of the worm being sent at once, hundreds of lines could be generated on a user's screen, interrupting work.

The Christmas tree looks similar to this:

               *
               *
              ***
             *****
            *******
           *********
         *************                A
            *******
          ***********                VERY
        ***************
      *******************            HAPPY
          ***********
        ***************            CHRISTMAS
      *******************
    ***********************         AND MY
        ***************
      *******************         BEST WISHES
    ***********************
  ***************************     FOR THE NEXT
            ******
            ******                    YEAR
            ******

A comment inside the Christmas Tree source code contains the comment:

  browsing this file is no fun at all
  just type CHRISTMAS from cms

The worm will not run on any systems other than VM/CMS. A computer with a REXX interpreter may be able to display the greeting, but NAMES and NETLOG are unique to the VM/CMS system, and therefore the worm will be unable to collect the contact information necessary to replicate itself.

EffectsEdit

The first known infection of Christmas Tree was reported in 1987 on December 9th. Christmas Tree made it onto the EARNet (European Academic Research Network), and from there to BITNET and finally spread to IBM's VNet electronic mail network by December 15th. On Bitnet, it was contained and mostly destroyed by December 14. IBM's VNet was paralysed on 1987.12.17 and brought to a standstill two days later, only getting rid of the worm by shutting down the network. All of the networks it spread on experienced some disruption.

In 1990, Christmas Tree resurfaced after being posted to Usenet. IBM was forced to shut down its 350,000-terminal network in order to disinfect the network.

Other FactsEdit

The worm was created by an unnamed student at the University of Clausthal in former West Germany. The creator was found at least by December 21 and barred from using his/her system. The author said that the damage was unintentional and that the program was written to send Christmas greetings to his friends.

Its status as a trojan or a worm is a subject of debate, and many people have made good cases for both sides. Those who believe it is a trojan cite the fact that it requires the user to download and run the attachment to make it replicate. One particularly interesting case says that the worm needs to send a small piece of itself like an exploit to determine if the system is hospitable or not.

Currently the Virus Encyclopedia refers to the Christmas Tree program as a worm. The fact that the worm moves from one computer to another (regardless of whether or not it needs a little prodding from the unsuspecting user) is enough to fit our definition of a worm. As for the claim that it must send a small part of itself, like some exploit code, to check if the new system is hospitable or not, just take a look at biological worms on pavement or asphalt after a rainstorm. They certainly do not check if the pavement is a hospitable place to live, or else they would not end up crisp and stuck to it. This definition is open to debate within the encyclopedia.

SourcesEdit

Ross Patterson. The Risks Digest, "Re: IBM Christmas Virus", Volume 5: Issue 80. 1987.12.21

VX Heavens, "Viruses for the "Exotic" Platforms".

Otto Stolz. VIRUS-L Digest, Volume 5, Issue 178, "Re: CHRISTMA: The "Card"! (CVP)". 1992.11.12

Bridget Rutty, -, -, Issue 195. 1992.12.02

Wes Morgan. Computer Underground Digest, Volume 2, Issue #2.07. 1990.10.15

Advertisement | Your ad here

Around Wikia's network

Random Wiki