| The Worm read through the file /etc/hosts.equiv, if it was present. This was done on the assumption that, if an account could be broken into on this machine, it could probably be broken into on the machines listed in this file. Machines found this way get a special tag in the structure the Worm uses to hold such data.|
| The Worm then read through the file /.rhosts searching for other machines to break into at a later time.|
| The Worm then reads in the file /etc/passwd. This is a file that was often publicly readable that contained a list of all the users authorized to use a machine, along with their encrypted passwords. This was one of the major security holes that the Worm took advantage of.|
| The Worm will then use the the /etc/passwd file to find personal .forward files, used to forward mail to other machines, in order to get the locations of additional machines to attack.|
Once these tasks have been completed, the Worm passes on to Phase 1.