Supplemental Security Info on DECnet Worm

1 view
Skip to first unread message

SPAN SECURITY MGR. (301)286-5223

Oct 31, 1989, 4:38:58 PM10/31/89


The most important thing that needs to be done to protect a system
against the current WORM attacks is to modify accounts where
USERNAME=PASSWORD. This is the default configuration for the DECNET
account. This can be changed easily, but there appears to be some
confusion about the effect that this has on a network. Changing the
DECnet default password DOES NOT IMPACT the normal operation of DECnet
in any way.

The following section provides some background material to illustrate
this point:

On your system, issue the following commands from a priviliged

NCP> show executor characteristics

This will produce a list that resembles the following:

Node Volatile Characteristics as of 31-OCT-1989 11:02:23

Executor node = 6.133 (NSSDCA)

Identification = DECnet-VAX V4.7, VMS V4.7
Nonprivileged user id = DECNET
Nonprivileged password = DECNET

This is your DECnet executor database. The information listed is the
default configuration for your node. The information contained in this
list includes "Nonprivileged user id" and "Nonpriviliged Password".

This information is what DECnet uses for userid/password when the
connecting process a)does not have a proxy, b)does not specify a
username/password as part of the access string, and c)does not
have a different userid/password defined for the network object
being invoked.

The access information contained in the executor database is used for
reference only. The candidate userid and password (in this case DECNET
and DECNET respectively) are then passed to LOGINOUT to validate them
against the *REAL* information contained in SYSUAF.DAT. If the
information matches, the access is allowed. If the information does not
match, the connecting user gets the following error messages:

Unable to connect to listner
Login Information Invalid at Remote Node


In order to correctly change your default network password so that your
system cannot be easily exploited by the current DECnet WORM, the
following 2 steps must be followed:

1) Change the password for user DECNET in SYSUAF.DAT:


It is advisable at this time to check that
certain other attributes of the DECNET user
are properly set:

The ONLY access method for this account should
and DIALUP fields should all read "--no access--"

The value of PRCLM should be set to ZERO. This is
the number of (SPAWNed) sub-processes allowed.

The flag LOCKPWD should be set. This prevents
anyone but a priviliged user from changing the
password. The following command can be used:


2) Change the password for DECNET in your network executor database:

NCP> set exec nonpriviliged password NEW_DECNET_PASSWORD
NCP> define exec nonpriviliged password NEW_DECNET_PASSWORD

The important thing to remember is that the password must be changed in
BOTH places, otherwise your network WILL break. The worm is breaking
nodes by penetrating the DECNET account, and changing only the UAF
password with the $SET PASSWORD command. By not changing the NCP
password, the network no longer accepts INBOUND connections.

For more information, consult the VAX/VMS manuals:

VMS V4.X - Volume 6 "Networking Manual"
VMS V5.x - Volume 5A&5B "Guide to DECnet-VAX Networking"
Ron Tencati | NCF::TENCATI /6277::TENCATI
SPAN Security Manager |
NASA/Goddard Space Flight Center | (301)286-5223
Greenbelt, MD. USA |

Reply all
Reply to author
0 new messages