Mainframe Virus ????

Kopischke, David G.

unread,

May 18, 2004, 4:48:26 PM5/18/04

to

This is the first time I've read of a virus targeting a mainframe.
I'm still suspicious of this story as it does not mention the
operating system that was assaulted, but it's still interesting.

From a Search390.com E-Mail pointing to:
http://iafrica.com/news/sa/323399.htm

Man found guilty of causing Edgars computer crash
Posted Tue, 18 May 2004

A 32-year-old Johannesburg man was found guilty on Monday
of loading a virus onto the computers of Edgars, an act
which the company claims cost them R20-million and affected
up to 700 stores.

Because the Electronic Communications and Transactions Act
governing what employees may legally do with company computers
was not yet in force, Berend Howard of Morningside Manor was
charged with malicious damaged to Edcon property.

Companies falling under the Edcon umbrella include Edgars,
Sales House and Jet Stores.

The court heard that Howard had been in temporary employment
at the company but had a grudge against the group for outsourcing
its IT maintenance and support work.

A malicious software programme - a virus - was created and loaded
onto the mainframe at Edgars' head office in Edgardale,
Johannesburg between April and May in 1999, bringing the computer
system, including workstations and speed points at stores linked
to the mainframe, to a virtual standstill.

Eighty percent of the details for stores in South Africa were
deleted; customer sales had to be entered manually, and hard
drives were damaged.

It took a team of 30 people to rectify the problem and the loss,
disputed by Howard's defence, was put at R20-million.

Investigators found a "trail" leading to Howard's personal
computer and he was arrested.

Evidence in mitigation of sentence will be presented on July 29.

Sapa

------------------------------------------------------------------------------
This electronic mail transmission may contain confidential information and is intended only for the person(s) named. Any use, copying or disclosure by any other person is strictly prohibited. If you have received this transmission in error, please notify the sender via e-mail.
==============================================================================

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

William Ek

unread,

May 18, 2004, 11:38:11 PM5/18/04

to

Viruses targeting mainframes is not new but somewhat out of
vogue. At one time it was enough of a problem that in-house
counsel for many companies were requiring a "malicious code"
certification from vendors. This circa 1990.

Bill Ek

Perryman, Brian

unread,

May 19, 2004, 6:04:15 AM5/19/04

to

Surely that's just a malicious code program - at worst a trojan horse, and not strictly a 'virus'? Depending on what hardware and operating system constituted 'the mainframe' (it might not have been what we on this list regard as a mainframe) I imagine that the perpetrator needed, and already had, access to it anyway. All systems have that exposure to some extent.

But "..and hard drives were damaged.." Hmm...

Just sounds like the reporter doesn't really understand computers much..

-
This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Transaction Network Services.Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Ceruti, Gerard G

unread,

May 19, 2004, 6:17:45 AM5/19/04

to

As we are on this side of ocean , not much is know (for company reasons) but
what we can get it that it was malicious code, a case of a very unhappy
employee who had the correct access to start with and it was a mainframe in
the true sense of the word. What more can you expect from a reporter.

Regards
Gerard

__________________________________________________________________________________________________________________________________

For information about the Standard Bank group visit our web site <www.standardbank.co.za>
__________________________________________________________________________________________________________________________________

Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group.
It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group.
The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read,
disclose or use the content in any way.
Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.
___________________________________________________________________________________________________________________________________

Phil Payne

unread,

May 19, 2004, 6:46:26 AM5/19/04

to

> But "..and hard drives were damaged.." Hmm...

It used to be possible on the 3350. I won't go into how - either you could write your own
channel programme or you could use OLTEP's Packscan "B" routine. Software-induced head
crashes?

That loophole was closed on the 3380 with a microcode routine that detected a dangerous
pattern and flung in a couple of delays - confused the hell out of some disk benchmarkers.

I heard one occasion of what we would now call a "virus" many years ago, but because systems
weren't connected to global open networks it was a purely local affair - took down a 5-way
JES3 complex. Definitely malicious. Trojan code has been around since at least the 1970s -
it was a favourite "little present" left behind by departing programmers. Until the civil
penalties started to bite.

I wrote a detailed account of how a Trojan in a banking system might be switched on and off
externally using "trigger" transactions, but the messenger got shot again.

--
Phil Payne
http://www.isham-research.com
+44 7785 302 803

ibm-main

unread,

May 19, 2004, 7:08:17 AM5/19/04

to

On Wed, 2004-05-19 at 20:41, Phil Payne wrote:

> ... but the messenger got shot again.
>
Obviously the resultant injury was less than fatal ...
Somehow, I think the effort to shut Phil up would be considerable ;-)

Shane ...

Rick Fochtman

unread,

May 19, 2004, 7:54:33 AM5/19/04

to

------------------------------<snip>----------------------

This is the first time I've read of a virus targeting a mainframe.
I'm still suspicious of this story as it does not mention the
operating system that was assaulted, but it's still interesting.

From a Search390.com E-Mail pointing to:
http://iafrica.com/news/sa/323399.htm

Man found guilty of causing Edgars computer crash
Posted Tue, 18 May 2004

---------------------<remainder snipped>---------------------
The use of the term "hard drive" leads me to infer that perhaps the
term 'mainframe' should be replaced by 'main server'.

Charles Mills

unread,

May 19, 2004, 8:51:16 AM5/19/04

to

I recall an effective "worm" some years ago that shut down IBM's PROFS
system, at that time hosted on a mainframe (VM). It was not malicious.
It was a Christmas greeting that some IBMer sent out that was scripted
to forward itself to everyone in the recipients' addressee lists.
Quickly reached critical mass ...

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst
Behalf Of Ceruti, Gerard G
Sent: Wednesday, May 19, 2004 6:17 AM
To: IBM-...@BAMA.UA.EDU
Subject: Re: Mainframe Virus ????

As we are on this side of ocean , not much is know (for company reasons)
but what we can get it that it was malicious code, a case of a very
unhappy employee who had the correct access to start with and it was a
mainframe in the true sense of the word. What more can you expect from a
reporter.

----------------------------------------------------------------------

A. Harry Williams

unread,

May 19, 2004, 10:00:38 AM5/19/04

to

On Wed, 19 May 2004 06:54:03 -0500 Rick Fochtman said:
>------------------------------<snip>----------------------
>This is the first time I've read of a virus targeting a mainframe.
>I'm still suspicious of this story as it does not mention the
>operating system that was assaulted, but it's still interesting.
>
>From a Search390.com E-Mail pointing to:
>http://iafrica.com/news/sa/323399.htm
>
>
>Man found guilty of causing Edgars computer crash
>Posted Tue, 18 May 2004
>---------------------<remainder snipped>---------------------
>The use of the term "hard drive" leads me to infer that perhaps the
>term 'mainframe' should be replaced by 'main server'.

That would be a mistake. I use that term when talking to people who
have little to no knowledge of large systems. Why confuse them with
buzz words, when trying to explain broader concepts to them. You need to
enroll people in the process, not make them think you are in an ivory tower.
That's part of the rational for starting the distributed world.

/ahw

Phil Payne

unread,

May 19, 2004, 10:49:16 AM5/19/04

to

> > ... but the messenger got shot again.
> >
> Obviously the resultant injury was less than fatal ...
> Somehow, I think the effort to shut Phil up would be considerable ;-)

Amusing little story:

http://www.theinquirer.net/?article=15992

Spotted this early this morning, and emailed to wonder at my omission. Also at the story of
UMX - one of the /390 emulation providers - going tits-up, as now recorded on my home page.

But the "Inquirer" story has gone from the home page. You can find it by searching the site on
"analysts" or using the URL above.

--
Phil Payne
http://www.isham-research.com
+44 7785 302 803

----------------------------------------------------------------------

Van Dalsen, Herbie

unread,

May 19, 2004, 11:34:45 AM5/19/04

to

Hi all,
It was probably an Assembler program trashing the VTOC of all volumes from some obscure Volume-list. With the Likes of APF and RACF, you need to run a program as an authorised user, probably from a job-scheduler that has optimum access... So yes, I think mainframe viruses are possible, but they can only be installed from within the establishment, In the old days they probable just called bad coding, because a few badly coded cobol programs @ the right spot of a batch run @ night can probably cause an equal amoutn of havoc !

Regards
Herbie
*********************************************************************************************
This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify email...@euroconex.com and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses.
*********************************************************************************************

John F. Regus

unread,

May 19, 2004, 8:16:25 PM5/19/04

to

There is no indication this was an IBM machine. Remember large HP and SUN
servers are being referred to as mainframes.

Efinn...@ibm-main.lst

unread,

May 19, 2004, 11:04:07 PM5/19/04

to

In a message dated 5/19/2004 7:16:47 PM Central Standard Time,

jfr...@IX.NETCOM.COM writes:
There is no indication this was an IBM machine. Remember large HP and SUN
servers are being referred to as mainframes.

I'm pretty sure it was. Think we even talked about it when it happened. Guy
frontended OPEN and did major damage.

Back in the eighties before I'd heard of virus or worms we caught and
successfully prosecuted an applications guy that was taking interest roundoff and
transferring it to a Swiss account via SWIFT.

Then there was the bank down the street that had to go to court and explain
in excruciating detail why the guy that got $10M extra in his checking account
was not the recipient of divine intervention--"I prayed for riches and was
rewarded!"

Shmuel Metz , Seymour J.

unread,

May 20, 2004, 11:37:52 AM5/20/04

to

In
<90D1C6AE45A88D469F4...@SVRARK-EXBET01.euroconex.prv>,
on 05/19/2004
at 04:35 PM, "Van Dalsen, Herbie" <herbie.v...@EUROCONEX.COM>
said:

>It was probably an Assembler program trashing the VTOC of all volumes
>from some obscure Volume-list. With the Likes of APF and RACF, you
>need to run a program as an authorised user, probably from a
>job-scheduler that has optimum access... So yes, I think mainframe
>viruses are possible,

What you describe is not a virus, or even a worm.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

Shmuel Metz , Seymour J.

unread,

May 20, 2004, 11:37:10 AM5/20/04

to

In
<A4D8F8732B8C5E47A70F...@sbicjnbmsg03.za.sbicdirectory.com>,
on 05/19/2004
at 12:17 PM, "Ceruti, Gerard G" <Gerard...@STANDARDBANK.CO.ZA>
said:

>What more can you expect from a reporter.

We can't expect more from a hack reporter. We would have expected more
from as journalist, were we able to find one.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

May 20, 2004, 11:36:32 AM5/20/04

to

In <F2E05690EC98334DA0F6...@DEN-XMAIL1.den.ofi.com>,
on 05/18/2004
at 02:45 PM, "Kopischke, David G."
<dgkop...@OPPENHEIMERFUNDS.COM> said:

>This is the first time I've read of a virus targeting a mainframe.

If it was a virus. Given the text that you quoted, I'm inclined to
doubt it. More likely the reporter hadn't a clue as to what a virus
was and was simply slinging around buzz words.

There was, however, a worm on mainframes; the "Christmas Card" worm,
which, as I recalled, took down PROFS at IBM for a while.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

May 20, 2004, 11:37:31 AM5/20/04

to

In <001c01c43d8e$83a203e0$0700a8c0@Transnote>, on 05/19/2004

at 12:41 PM, Phil Payne <IBM-...@ISHAM-RESEARCH.COM> said:

>I heard one occasion of what we would now call a "virus"

Not from your description we wouldn't. In fact, from your description
we wouldn't even call it a worm.

>Definitely malicious.

Irrelevant. How did it propagate? If it didn't propagate, then it was
neither a virus nor a worm.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

May 20, 2004, 11:36:49 AM5/20/04

to

In <009b01c43d52$773dfbe0$6501a8c0@Bill>, on 05/18/2004

at 08:36 PM, William Ek <Will...@SOCAL.RR.COM> said:

>Viruses targeting mainframes is not new but somewhat out of vogue.
>At one time it was enough of a problem that in-house counsel for many
>companies were requiring a "malicious code" certification from
>vendors.

What does a "malicious code" certification have to do with viruses? A
trojan horse is not a virus.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Phil Payne

unread,

May 20, 2004, 3:34:57 PM5/20/04

to

> >Definitely malicious.
>
> Irrelevant. How did it propagate? If it didn't propagate, then it was
> neither a virus nor a worm.

It propagated to all members of a JES3 complex. Exactly how, I can't remember. As I said, we
didn't know about global networks at the time. If we had, they would all have been IBM
mainframes because there was just nothing else around.

--
Phil Payne
http://www.isham-research.com
+44 7785 302 803

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

May 23, 2004, 10:34:09 PM5/23/04

to

In <008601c43ea1$7d5b2ac0$0700a8c0@Transnote>, on 05/20/2004

at 09:17 PM, Phil Payne <IBM-...@ISHAM-RESEARCH.COM> said:

>It propagated to all members of a JES3 complex.

FSVO propagate that doesn't match what I find in any dictionary. It
affected all members; it did not propagate to them.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT

Atid/2

We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

Nov 22, 2004, 11:36:37 PM11/22/04

to

In <F2E05690EC98334DA0F6...@DEN-XMAIL1.den.ofi.com>,
on 05/18/2004
at 02:45 PM, "Kopischke, David G."
<dgkop...@OPPENHEIMERFUNDS.COM> said:

>This is the first time I've read of a virus targeting a mainframe.

There have been worms, e.g., the IBM "Christmas Card" worm in PROFS.
However, from the wording of the article it's clear that the reporter
hasn't got a clue as to what a virus is.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT

ISO position; see <http://patriot.net/~shmuel/resume/brief.html>

We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

Nov 22, 2004, 11:36:48 PM11/22/04

to

In
<90D1C6AE45A88D469F4...@SVRARK-EXBET01.euroconex.prv>,
on 05/19/2004
at 04:35 PM, "Van Dalsen, Herbie" <herbie.v...@EUROCONEX.COM>
said:

>It was probably an Assembler program trashing the VTOC of all volumes

>from some obscure Volume-list. With the Likes of APF and RACF, you
>need to run a program as an authorised user, probably from a
>job-scheduler that has optimum access... So yes, I think mainframe
>viruses are possible,

What you have described is not a virus.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

Shmuel Metz , Seymour J.

unread,

Nov 22, 2004, 11:37:20 PM11/22/04

to

In
<A4D8F8732B8C5E47A70F...@sbicjnbmsg03.za.sbicdirectory.com>,
on 05/19/2004

at 12:17 PM, "Ceruti, Gerard G" <Gerard...@STANDARDBANK.CO.ZA>
said:

>As we are on this side of ocean , not much is know (for company

>reasons) but what we can get it that it was malicious code, a case of
>a very unhappy employee who had the correct access to start with and
>it was a mainframe in the true sense of the word. What more can you
>expect from a reporter.

Journalism. But it's dead.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

CAIRNS,Michael

unread,

Nov 22, 2004, 11:45:38 PM11/22/04

to

Would someone mind posting the URL please?

Michael Cairns

Senior Mainframe Systems Programmer
Technical Services Team, ITFB, ITSG.
Department of Employment and Workplace Relations

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst
Behalf Of Shmuel Metz (Seymour J.)
Sent: Tuesday, November 23, 2004 2:01 PM
To: IBM-...@BAMA.UA.EDU
Subject: Re: Mainframe Virus ????

In <F2E05690EC98334DA0F6...@DEN-XMAIL1.den.ofi.com>,
on 05/18/2004
at 02:45 PM, "Kopischke, David G." <dgkop...@OPPENHEIMERFUNDS.COM>
said:

>This is the first time I've read of a virus targeting a mainframe.

There have been worms, e.g., the IBM "Christmas Card" worm in PROFS.
However, from the wording of the article it's clear that the reporter
hasn't got a clue as to what a virus is.

--

Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised. If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.

Efinn...@ibm-main.lst

unread,

Nov 23, 2004, 1:35:07 AM11/23/04

to

In a message dated 11/22/2004 10:45:51 P.M. Central Standard Time,
Michael...@DEWR.GOV.AU writes:

Would someone mind posting the URL please?

<<
I googled news and found this one(among a few others) with 'mainframe virus'
search.
_http://www.crime-research.org/news/18.11.2004/798/_
(http://www.crime-research.org/news/18.11.2004/798/)

Evidently phishing userid/password when directed at UK financial
institution. Not sure
is this what original posting was regarding.....

Hal Merritt

unread,

Nov 23, 2004, 12:44:39 PM11/23/04

to

What article? Please post the source of this information.

I have seen one other instance where an 'article' used 'mainframe virus'
as a teaser, but actually was a lame sales pitch for some PC product.

Thanks.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst
Behalf Of Shmuel Metz (Seymour J.)
Sent: Monday, November 22, 2004 9:01 PM
To: IBM-...@BAMA.UA.EDU
Subject: Re: Mainframe Virus ????

In <F2E05690EC98334DA0F6...@DEN-XMAIL1.den.ofi.com>,
on 05/18/2004
at 02:45 PM, "Kopischke, David G."
<dgkop...@OPPENHEIMERFUNDS.COM> said:

>This is the first time I've read of a virus targeting a mainframe.

There have been worms, e.g., the IBM "Christmas Card" worm in PROFS.
However, from the wording of the article it's clear that the reporter
hasn't got a clue as to what a virus is.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.

Anne & Lynn Wheeler

unread,

Nov 23, 2004, 3:25:21 PM11/23/04

to

shmuel+...@ibm-main.lst (Shmuel Metz , Seymour J.) writes:
> There have been worms, e.g., the IBM "Christmas Card" worm in PROFS.
> However, from the wording of the article it's clear that the reporter
> hasn't got a clue as to what a virus is.

PROFS was a menu interface that wrappered a number of lower-level
functions. One was the mail client ... which was mostly made up of the
source from an early prototype mail client called VMSG (unfortunately
the PROFS group snarfed such an early prototype and never got around
to picking up later advancements when they got around to shipping
PROFS as a product). At one point, there was even some claim that the
PROFS email client was not VMSG ... however it was demonstrated that
in the network control header of every PROFS email ... there was the
initials of the VMSG author.

it was an internal network thing
http://www.garlic.com/~lynn/subnetwork.html#internalnet

which was larger than the arpanet from just about the beginning until
sometime mid-85 .... in part because an internal net node effectively
had gateway type function ... which didn't show up until 1/1/83 with
the great switch-over to internetworking. the size of the internal
network is purely based on the internal corporate nodes
... and not any of the bitnet/earn nodes using the same technology
http://www.garlic.com/~lynn/subnetwork.html#bitnet

at the time of the switch-over to internetworking on 1/1/83 ...
arpanet had approx. 250 nodes and the internal network was nearing a
1000 nodes ... which it reached in the summer of 83
http://www.garlic.com/~lynn/internet.htm#22

after the 1/1/83 switch-over with the introduction of gateways and
internetworking, the number of "internet" nodes started to grow faster
... and approx. the sametime in 85, both the internet and the internal
network passed 2000 nodes. slightly related issue with respect to
the size of the internet (aka until there actually was internetworking,
there wasn't any requirement for multiple different domain names):
http://www.garlic.com/~lynn/2004n.html#42

in any case, at the cms level ... file transfer and email transfer
used identical facilities (aka at lower level email was just another
file form).

the issue with xmas "cards" ... was they tended to be cms "EXEC" files
... which were executable command files (aka over the years, there
were three major syntax for EXEC files, the original EXEC syntax,
EXEC2 syntax, and REX(X) syntax). the xmas virus/worm was effectively
social engineering .... an executable file was sent, the recipient
read the file and was convinced to execute the file. the xmas "exec"
file tended to format 3270 screen with some form of xmas image ...
and got more complex over the years ... there was one that used color
and graphics on a 3279 screen to create an xmas tree with
multi-colored lights that flashed on & off.

many people got used to using the PROFS menu interface to deal with
some number of feature/functions, typically networking related
features (receiving and sending files & email), online telephone book,
calender, etc (although many experienced users clung to the CLI).

in any case, once an xmas exec was read (from the network) and
execution invoke ... it could perform almost any function.

a little topic drift referencing an old vmshare/mainframe thread
mentioning the intersection of OCO and virus
http://www.garlic.com/~lynn/2004p.html#5

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Dave Kopischke

unread,

Nov 23, 2004, 5:29:49 PM11/23/04

to

On Tue, 23 Nov 2004 11:44:21 -0600, Hal Merritt <HMer...@JACKHENRY.COM>
wrote:

>What article? Please post the source of this information.
>
>I have seen one other instance where an 'article' used 'mainframe virus'
>as a teaser, but actually was a lame sales pitch for some PC product.
>
>Thanks.
>

This is an old response to an old post from May 2004. I'm not sure why
Shmuel re-posted.

The original post:
http://bama.ua.edu/cgi-bin/wa?A2=ind0405&L=ibm-main&P=R49938&D=0&I=1&O=D

A link to the original article:

From a Search390.com E-Mail pointing to:
http://iafrica.com/news/sa/323399.htm

This is pretty old, so the link may not be valid anymore.

Anne & Lynn Wheeler

unread,

Nov 24, 2004, 4:48:16 PM11/24/04

to

shmuel+...@ibm-main.lst (Shmuel Metz , Seymour J.) writes:

> I inadvertently replied to an old message. URI
> http://iafrica.com/news/sa/323399.htm is probably dead by now. I don't
> have a URI relevant to the IBM Christmas card worm (*not* virus), but
> as I recall it was in the late 1980s.

version on bitnet/earn
http://www.garlic.com/~lynn/subnetwork.html#bitnet

and internal network (note the slowdown in the internal
network growth ... 1000 mid-83, 2000 mid-85, 2700 ye87):
http://www.garlic.com/~lynn/subnetwork.html#internalnet

from trusty vmshare archives ... PROB CHRISTMA thread
http://vm.marist.edu/~vmshare/browse?fn=CHRISTMA&ft=PROB

summary out of the above:

Append on 12/19/87 at 20:10 by Melinda Varian <BITNET: MAINT@PUCC>:

The following statement, from a member of the EARN Board, answers the
queries about the origin of the CHRISTMA EXEC. Clausthal-Zellerfeld
is quite a new VM installation. When Heinz Haunhorst, of their staff,
was notified that the first appearances of the virus on the networks
originated at his node, he pursued the matter vigorously and skillfully.
Helmut Woehlbier, of the Technical University of Braunschweig, also did
an excellent job in helping to determine the originating node.

<> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>

Date: Wed, 16 Dec 87 18:33:58 GMT
Sender: EARN Technical Group <EARNTECH@EB0UB011>
From: Michael Hebgen <$02@DHDURZ1>
Comments: To: EARN Executive <EARNEXEC@IRLEARN>,
EARN Board of Directors <EARN-BOD@IRLEARN>
Comments: cc: German EARN Executive <DEARNEX@DHDURZ1>,
German EARN node administrators <DEARNADM@DEARN>,
Heinz Haunhorst <HENRY@DCZTU1>,
"Dr. Gerald Lange" <LANGE@DCZTU1>,
Otto Bernd Kirchner <KIRCHNER@DS0IBM1>
To: Melinda Varian <MAINT@PUCC>
Subject: CHRISTMAS EXEC

Dear colleagues,

after some very sophisticated detective work it is clear that the origin
of the CHRISTMAS EXEC is the EARN node DCZTU1. A student there has writ-
ten this EXEC to send christmas greetings to his colleagues and another
student has used it without knowing what he is doing (as many of our
network users) and started the explosion.

The node DCZTU1 has already blocked the Userid of the author and done
all necessary steps. Every node in the network can be the next starting
point of a similar explosion and distribute virus programms or other
bad things.

As far as I know the EDP-systems there is no way to prevent users from
their own mistakes. The only solution I can think of for this type of
behaviour is to observe "EDP-hygiene":

If you receive an executable file (EXEC, CLIST, program) from another
might be unknown user do N O T execute without control because it
can result in gross missdemanour and serious damage.

Check all EXECs/CLISTs, what they are doing, before you execute them
and check all executable programs, where they come from and what
they do.

As in normal life uncontrolled behaviour may result in serious
consequences (I am not going to mention AIDS). You as a user are
responsable for all what you are doing.

I propose to include such statements (in better english formulation) into
the CODE OF CONDUCT and to start an "enlightenment" process for the end-
users

Best regards, marry christmas (without tree) and a happy new year

Michael Hebgen

EARN director of Germany and
General secretary of EARN

*** APPENDED 12/19/87 20:10:47 BY PU/MELINDA ***

================================

various other bits & pieces from the thread:

Created on 12/10/87 09:47:26 by SU/BRIDGET

Watch out for CHRISTMA EXEC!
One of our staff received this exec from the University of Missouri
(we think) over bitnet and ran it. I haven't seen exactly what it
does, but apparently it displays a nice little Christmas tree on
your screen while examining your names file and netlog file, extracting
userids and node names. It then proceeds to sending a copy of itself
to all the userids it finds using the acknowledge option. We found
about 200 copies of it in our spooling system as a result of four
or five people running it. Of course anyone installing HPO 5 and
wanting to test the limits of their spooling system may want to keep
a copy :-)

*** CREATED 12/10/87 09:47:26 BY SU/BRIDGET ***

Append on 12/11/87 at 17:50 by Faye West (403) 450-5180:

Apparently this exec caused IBM Canada to shut down RSCS in the Western
Region (at least) today. Rumor is, Royal Trust also went down.

>>> REVISED 12/14/87 12:13:04 BY ARC/FAYE <<<
*** APPENDED 12/11/87 17:50:34 BY ARC/FAYE ***

Append on 12/12/87 at 10:47 by Tom Klensk (607) 752-6262:

Indeed, severe problems were caused within IBM's internal network
(2700 nodes) in the last two days as CHRISTMA EXEC multiplied.
The problem also caught the attention of the press and was featured on
the front page of this morning's Press & Sun Bulletin (our local
newspaper).

Tom Klensk, IBM Endicott

*** APPENDED 12/12/87 10:47:19 BY .TK/TOM ***

Append on 12/13/87 at 10:24 by Melinda Varian <BITNET: MAINT@PUCC>:

A group of us in BITNET are trying to trace the origin of the
CHRISTMA EXEC. So far, the earliest appearance in North America
we've been able to track down were 5 copies that passed through
CUNYVM at 09:03 EST (12:03 GMT) on Wednesday, December 9. These
copies were being sent from DCZTU1 to recipients at USU, UCSFCCA,
and CCNYVME.

We would appreciate your examining your logs to see if you can
find any earlier occurrences. If you do, please append the time,
sending nodeid/userid, and receiving nodeid/userid (or send mail
to MAINT@PUCC if you prefer).

Thank you.

Melinda Varian,
Princeton University

*** APPENDED 12/13/87 10:24:27 BY PU/MELINDA ***

Append on 12/17/87 at 16:32 by Kathleen E. DeGuilme:

This story hit the Wall Street Journal this morning , on page 34. If
anyone would like a copy, send me a note.

*** APPENDED 12/17/87 16:32:02 BY SAL/KATHLEEN ***

Append on 12/18/87 at 11:58 by Michael Wagner 416 978-6602:

CHRISTMA EXEC made the papers here in Germany too. We think we have
found the originator, by the way. I don't know the exact status of
the chase, but I think I can find out if people are interested.
...Michael Wagner, currently in Germany

*** APPENDED 12/18/87 11:58:35 BY TY/MICHAEL ***

Append on 12/18/87 at 13:37 by Melinda Varian <BITNET: MAINT@PUCC>:

Yes, the originator of the EXEC was found a few days ago, through
the cooperative efforts of system programmers around the world.

My personal thanks to everyone who helped in this effort,
Melinda

*** APPENDED 12/18/87 13:37:29 BY PU/MELINDA ***

Append on 12/18/87 at 23:54 by Melinda Varian <BITNET: MAINT@PUCC>:

:-) You'll never know for sure, will you, Rich?

Yes, the impact of CHRISTMA on BITNET was substantially less than was
its impact on "the other network". I'd say that mostly we were luckier
than they were. Some of the other factors: Their users have larger
NAMES files than ours. Their network has greater bandwidth than ours.
It hit us during business hours, both in Europe and in North America,
while it hit them when most of the sysprogs were not at work. Possibly,
too, since we're constantly expecting our systems to be attacked, we
reacted just a bit faster (and more zealously).

At any rate, those responsible for writing and propagating the EXEC
were being extremely childish. Our networks exist as a cooperative
venture and REQUIRE the goodwill of the users. Any fool (or broken
service machine) can flood the networks; it requires no great
intellectual achievement.

I can't really say what the author's intentions were, but the fact
that he prefaced the "interesting" part of the EXEC with the following
comment makes me feel that he was not entirely filled with holiday
spirit:

/* browsing this file is no fun at all
just type CHRISTMAS from cms */

However, the cooperation between the system programmers around the
world in handling this problem was very much in the holiday spirit
and is the part I will remember longest.

Melinda (aka MAINT@PUCC)

P.S.: Anybody on BITNET who wants a copy of my collection of CHRISTMA
logmsgs from around the world can request it by mail.

*** APPENDED 12/18/87 23:54:52 BY PU/MELINDA ***

Anne & Lynn Wheeler

unread,

Nov 24, 2004, 5:23:42 PM11/24/04

to

somewhat aside ... if you take the number internal network nodes at ye87
from the previous post:
http://www.garlic.com/~lynn/2004p.html#16 Mainframe Virus ????

as approx. number of internal systems (although some number of
internal systems weren't connected to the internal network)

and the number of employees from this earlier post:
http://www.garlic.com/~lynn/2004o.html#63 360 longevity, was RISCs too close to hardware?

then you have an approx. avg of 180 employees per system.

this doesn't take into account the number of PCs and workstations ....
which mostly had their connectivity via terminal emulation ... as
opposed to full network nodes.

some number of past posts mentioning terminal emulation subject:
http://www.garlic.com/~lynn/2000.html#6 Computer of the century
http://www.garlic.com/~lynn/2000b.html#35 VMS vs. Unix (was: Why are Suns so slow?)
http://www.garlic.com/~lynn/2000g.html#13 IBM's mess (was: Re: What the hell is an MSX?)
http://www.garlic.com/~lynn/2000g.html#14 IBM's mess (was: Re: What the hell is an MSX?)
http://www.garlic.com/~lynn/2001b.html#83 Z/90, S/390, 370/ESA (slightly off topic)
http://www.garlic.com/~lynn/2001j.html#16 OT - Internet Explorer V6.0

http://www.garlic.com/~lynn/2001k.html#35 Newbie TOPS-10 7.03 question

http://www.garlic.com/~lynn/2003b.html#45 hyperblock drift, was filesystem structure (long warning)

Shmuel Metz , Seymour J.

unread,

Nov 24, 2004, 3:17:25 PM11/24/04

to

In <1F222922F1978345884...@htxxchg.jhacorp.com>, on
11/23/2004

at 11:44 AM, Hal Merritt <HMer...@JACKHENRY.COM> said:

>What article? Please post the source of this information.

I inadvertently replied to an old message. URI

http://iafrica.com/news/sa/323399.htm is probably dead by now. I don't
have a URI relevant to the IBM Christmas card worm (*not* virus), but
as I recall it was in the late 1980s.

--