The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device. (Why?)

Center for Education and Research in Information Assurance and Security

COAST Security Archive Logo Category Index: /pub/doc/morris_worm

No Pointing!

This WWW page was generated automatically. Link makers should not point their links to this page. If you must, please make a link to the search entry point.

Robert Gasch, Internet Worm SUMMARY (UNIX)
Abstract: It is a short FAQ.[slightly edited] news article summarizing references to the Internet Worm.

United States General Accounting Office, United States General Accounting Office Report to the Chairman
Abstract: In November 1988, a computer program caused thousands of computers on the Internet--a multi-network system connecting over 60,000 computers nationwide and overseas--to shut down. This program, commonly referred to as a computer virus or worm, entered computers and continuously recopied itself, consuming resources and hampering network operations. Concerned about Internet security and the virus incident, the Chairman, Subcommittee on Telecommunications and Finance, House Committee on Energy and Commerce, asked GAO to -- provide an overview of the virus incident, -- examine issues relating to Internet security and vulnerabilities, and -- describe the factors affecting the prosecution of computer virus incidents.

David K. Bradley, The Worm Before Christmas
Abstract: It is funny joke about Morris Internet Worm incident.

Mark W. Eichin, Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
Abstract: In early November 1988 the Internet, a collection of networks consisting of 60,000 host computers implementing the TCP/IP protocol suite, attacked by virus, program which broke into computers on the network and which spread from one machine to another This paper is detailed analysis of the virus programitself, as well as the reactions of the besieged Internet community. We discuss the structure of the actual program, as well as the strategies the virus used to reproduce itself. We present the chronology of events as seen by our team at MIT, one of handful of groups around the country working to take apart the virus, in an attempt to discover its secrets and to learn the network' vulnerabilities. We describe the lessons that this incident has taught the Internet community and topics for future consideration and resolution. A detailed routine by routine description of the virus program including the contents of its built in dictionary is provided.

U.S. District Court, UNITED STATES of America, Appellee, v. Robert Tappan MORRIS, Defendant-Appellant.
Abstract: The written decision of the US Court of Appeals on Morris's appeal of his conviction.

J. Reynolds, The Helminthiasis of the Internet
Abstract: This memo takes a look back at the helminthiasis (infestation with, or disease caused by parasitic worms) of the Internet that was unleashed the evening of 2 November 1988. This RFC provides information about an event that occurred in the life of the Internet.

Donn Seeley, A Tour of the Worm
Abstract: On the evening of November 2, 1988, a self-replicating program was released upon the Internet. This program (a worm) invaded VAX and Sun-3 computers running versions of Berkeley UNIX, and used their resources to attack still more computers. Within the space of hours this program had spread across the U.S., infecting hundreds or thousands of computers and making many of them unusable due to the burden of its activity. This paper provides a chronology for the outbreak and presents a detailed description of the internals of the worm, based on a C version produced by decompiling.

Eugene H. Spafford, The Internet Worm Program: An Analysis
Abstract: This report gives a detailed description of the components of the worm program - data and functions.It is based on study of two completely independent reverse-compilations of the worm and a version disassembled to VAX assembly language. Almost no source code is given in the paper because of current concerns about the state of the "immune system" of Internet hosts, but the description should be detailed enough to allow the reader to understand the behavior of the program. The paper contains a review of the security flaws exploited by the worm program, and gives some recommendations on how to eliminate or mitigate their future use. The report also includes an analysis of the coding style and methods used by the author(s) of the worm, and draws some conclusions about his abilities and intent.

Eugene H. Spafford, The Internet Worm Incident
Abstract: This paper explains why this program was a worm (as opposed to a virus), and provides a brief chronology of both the spread and eradication of the program. That is followed by discussion of some specific issues raised by the community's reaction and subsequent discussion of the event. Included are some interesting lessons learned from the incident.

Keith Bostic, Virus posting
Abstract: It is a copy of the news article posted by Keith Bostic with the BSD fixes to sendmail. The recently reported worm appears to also be using the fingerd(8) daemon to enter systems. Here's a fix. The previous patch for sendmail(8) on binary systems only prevented the current attacker. The attached patch fixes the problem.

Bob Page, A Report on the Internet Worm
Abstract: This is the scoop on the "Internet Worm". Actually it's not a virus - a virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently, but rather requires that its "host" program be run to activate it. As such, it has a clear analog to biologic viruses -- those viruses are not considered live, but they invade host cells and take them over, making them produce new viruses.


O Built by Mark Crosbie and Ivan Krsul.

Security Archive Page Security Archive Homepage.

COAST Homepage COAST Project (CERIAS)Page.

Purdue CS Homepage Purdue CS Dept page. (COAST Security Archive)