What the Internet Worm did to systems

To begin with, lets check the other side of the coin and find out what the Worm DIDN'T do to the computer systems that it infected:

  • The worm didn't alter or destroy files
  • The worm didn't save or transmit the passwords which it cracked
  • The worm didn't make special attempts to gain root or superuser access in a system (and didn't utilize the privileges if it managed to get them).
  • The worm didn't place copies of itself or other programs into memory to be executed at a later time. (Such programs are commonly referred to as timebombs.)
  • The worm didn't attack machines other than Sun 3 systems and VAX computers running 4 BSD Unix (or equivalent).
  • The worm didn't attack machines that were not attached to the internet. (In other words, no computers that didn't have an internet address were attacked. Modems do not count as internet connectors in this respect.)
  • The worm didn't travel from machine to machine via disk.
  • The worm didn't cause physical damage to computer systems.

    With all this cleared out of the way, one may be wondering what the Worm DID do to cause as much fuss as it did. Actually, the intention of the worm (judging from decompiled versions of its code and the statements of its designer) was to do nothing at all. At least, nothing visible. The worm was designed simply to spread itself to as many computers as possible without giving the slightest indication of its existence. If the code worked correctly, it would have been only a tiny process continually running on computers across the internet.
    However, the code didn't work perfectly. Apparently, at the time the virus was released, there were still a number of bugs in the code. In addition it is believed that the programmer underestimated the degree to which the Worm would propagate. (For more details on this part, see our section on how the Worm worked.)
    The result is that these seemingly innocuous processes, which didn't take up much processor time individually, began to put a strain on a system as more and more processes infected the same machines. At a surprisingly swift rate, an infected machine began to be slowed as more and more copies of the worm each tried to perform its function.
    In the following example (taken from "A Tour of the Worm", by Donn Seely) one can see the effects the worm infection. The example is representative of infections all across the country.
    All the following events occurred on the evening of Nov. 2, 1988.
  • 6:00 PM At about this time the Worm is launched.
  • 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu)
  • 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX
  • 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.)
  • 9:41 PM The load average reaches 7
  • 10:01 PM The load average reaches 16
  • 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore.
  • 10:20 PM The system administrator kills off the worms
  • 10:41 PM The system is reinfected and the load average reaches 27
  • 10:49 PM The system administrator shuts down the system. The system is subsequently restarted
  • 11:21 PM Reinfestation causes the load average to reach 37.
    In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable. This same scenario occurred to over 6,000 machines across the country and, while no physical damage was caused by the worm, between $100,000 and $10,000,000 were lost due to lost access to the internet at an infected host. (according to the United States General Accounting Office)

    Return to the main Worm page.