Containing Computer Virus : Runaway ‘Worm’ Taxed UCSD’s Exterminators

Times Staff Writer

For Jeffrey L. Elman, the electronic age means he can work at home, connected by telephone to the UC San Diego computer that helps him make models of how the human brain turns electrical impulses into language.

“I was comfortably at home working in the evening (Wednesday) and noticing that the programs I was running were running slower and slower and slower,” recalled Elman, an associate professor of linguistics.

He checked to see what was going on inside the computer and found many seemingly nonsensical commands. He started sending nasty messages--which went unanswered--to the person who the computer said was running this random program. He killed the program out, but it reappeared.

Peculiar Mail Being Sent


“I did that twice, and, after the second time, I realized that something funny was going on,” Elman said. “At that point, I started looking around and I realized that there was some peculiar mail that was being sent to our machine, and I also noticed that there was some peculiar mail being sent to machines on the East Coast.”

These computer messages were in fact the trail of a runaway “worm.”

The self-replicating program had taken on the identity of a regular user of the VAX computer in the Center for Research in Language, and was phoning other computers all over the country to send copies of itself there.

“At that point I got a phone call from a friend at Berkeley to tell me that . . . we were infecting them, and could we shut the machine down,” he said. “Then I got a call from a friend at Carnegie-Mellon (in Pittsburgh) who was frantically trying to get rid of it there, and we were infecting them.”


Meanwhile, Elman alerted Jim Madden, manager of the academic computer network at UCSD, who began tracking the worm through 20 to 40 computers on campus.

Like a chain letter gone amok, the program was moving back and forth between computers, making new copies with every step. Computer A would call Computer B to send a copy of the program there, then B would call C, D, E and so on. But each of them would in turn call A, B and each other, putting more copies of the program there, too.

The worm also got into computers containing unclassified material at the Naval Ocean Systems Center and the Navy Personnel Research and Development Center on Point Loma in San Diego. No damage to data was reported at any of the facilities.

Rabbit-Like Ability

Unlike a computer “virus,” Madden said, this worm disappeared if the computer was turned off. But its rabbit-like ability to reproduce kept it popping up. Madden and three colleagues stayed up until nearly dawn Thursday tracking the problems.

“By 3 in the morning, we had concluded that, although the worm was still alive in two or three of the machines on campus that we didn’t have direct control over, that didn’t matter,” Madden said. “And it was that effect that caused us to turn the campus off the next morning.”

That involved disconnecting the phone link between the campus and other computers around the country for six hours while the worm was eradicated and computers were “vaccinated” against further invasion. This was inconvenient but not a major problem, Madden said.

“One or two machines crashed by accident,” he said. “They crashed because the load got so high that they couldn’t handle it. But, in fact, that wasn’t the intent of this ‘virus.’ We think that none of the loading side effects were intended. That was a mistake. And that’s what allowed us to detect it.”


“If you think of it as a tumor, it’s a benign tumor,” Elman said. “It’s not cancerous, but it grows and grows and grows and can affect the system.”

If the computers each had received only one copy of the program, it would have taken much longer to notice, Madden said.

Supercomputer Safe

The worm did not afflict any of the large computers at the San Diego Super Computer Center, but did infect three small desk-top computers, said Paul Love, manager of peripherals and communications.

At the Navy Personnel Research and Development Center, which conducts research for the entire Navy on personnel matters, an operator noticed an abnormally high activity on its two VAX 780 computers about midnight Wednesday, said Ron Stanonik, computer systems programmer. The operator shut the computer down.

By the next morning, national computer message networks were buzzing with advice on how to get rid of the worm, which the center did within a few hours, Stanonik said.

At the Naval Ocean Systems Center, the worm affected smaller computers that are used to handle electronic mail and exchanges of unclassified research results, said spokesman Tom LaPuzza. When the problem was first noticed at 8:30 p.m. Wednesday, the computers were shut down until noon the next day, he said. The command conducts research on naval warfare systems for the Navy.

Madden said he and others throughout the country are cooperating on tracking the worm back to its source. Already, it appears clear that it did not have a UCSD origin because the San Diego computers were affected much later than those elsewhere, he said.


“One theory is that this is someone’s master’s thesis, and that it’s been done for credit,” Madden said of the electronic talk going on Friday among computer users nationwide.

“Another is that this is somebody who thinks they’re doing the world a service by pointing out that these kinds of problems exist. The third possibility is that it’s just somebody seeking some publicity in the same way that people set fires. It could also be somebody who was mad at his managers,” he said.

For Elman, the worm was an impressive enemy.

“It was quite virulent,” he said. “Fortunately, the only damage was the machine slowed down and I lost about five hours of sleep.”