Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!tank!mimsy!chris
From: chris@mimsy.UUCP (Chris Torek)
Newsgroups: comp.unix.wizards
Subject: Re: various worm questions
Message-ID: <14525@mimsy.UUCP>
Date: 13 Nov 88 09:53:31 GMT
References: <935@vsi.COM> <8868@smoke.BRL.MIL>
Distribution: na
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 18

>In article <935@vsi.COM> friedl@vsi.COM (Stephen J. Friedl) writes:
>>... we all know that a bug in the program caused it to propagate wildly.
>>Does anybody know what the bug was?  No source code, just a general idea....

In article <8868@smoke.BRL.MIL> gwyn@smoke.BRL.MIL (Doug Gwyn ) writes:
>This wasn't characterized quite correctly in the media reports.
>The biggest flaw in the design was that no provision was made
>to avoid propagation back to an already-infested host.

Not quite:  In a routine called checkother(), the program would look
for a copy of itself running on the local machine.  It had a 1/7 chance
of not looking at all, and if it did look, it had a timeout that could
fire off before the other copy could respond.  If it did find one, it
had a 1/2 chance of exiting (and, I think, if it did not, the other
was supposed to).  For whatever reasons, this did not work well.
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris@mimsy.umd.edu	Path:	uunet!mimsy!chris