Christmas tree
Christmas Tree
Type Mass mailer worm
Date Discovered 1987.12.09
Place of Origin Clausthal-Zellerfeld, Germany
Source Language REXX
Platform REXX on VM/CMS
File Type(s) .EXEC
Infection Length 2,479 bytes
Reported Costs

Christmas Tree was an early mass-mailing worm coded in late 1987, whose most prominent feature was an ASCII art Christmas tree. Christmas Tree was the first program to paralyse a network and hilight the need to educate computer users about the dangers of opening strange email attachments.


The program arrives in an email with the subject line "Let this exec run and enjoy yourself!". The user must execute the program by typing christma or christmas. When executed, Christmas Tree displays an ASCII Christmas tree. It then reads the files NAMES and NETLOG, files containing the addresses of communication partners, and mails itself to every email address in them.

Bitnet nodes send a message back to the sender for every file that passes through them. Depending on how many nodes a single copy of the worm passed through until it reached its destination computer, it could generate from one to twenty messages on the sender's screen. With many copies of the worm being sent at once, hundreds of lines could be generated on a user's screen, interrupting work.

The Christmas tree looks similar to this:

         *************                A
          ***********                VERY
      *******************            HAPPY
        ***************            CHRISTMAS
    ***********************         AND MY
      *******************         BEST WISHES
  ***************************     FOR THE NEXT
            ******                    YEAR

A comment inside the Christmas Tree source code contains the comment:

  browsing this file is no fun at all
  just type CHRISTMAS from cms

The worm will not run on any systems other than VM/CMS. A computer with a REXX interpreter may be able to display the greeting, but NAMES and NETLOG are unique to the VM/CMS system, and therefore the worm will be unable to collect the contact information necessary to replicate itself.


The first known infection of Christmas Tree was reported in 1987 on December 9th. Christmas Tree made it onto the EARNet (European Academic Research Network), and from there to BITNET and finally spread to IBM's VNet electronic mail network by December 15th. On Bitnet, it was contained and mostly destroyed by December 14. IBM's VNet was paralysed on 1987.12.17 and brought to a standstill two days later, only getting rid of the worm by shutting down the network. All of the networks it spread on experienced some disruption.

In 1990, Christmas Tree resurfaced after being posted to Usenet. IBM was forced to shut down its 350,000-terminal network in order to disinfect the network.


The worm was created by an unnamed student at the University of Clausthal in former West Germany. The creator was found at least by December 21 and barred from using his/her system. The author said that the damage was unintentional and that the program was written to send Christmas greetings to his friends.

Other Facts

Its status as a trojan or a worm is a subject of debate, and many people have made good cases for both sides. Those who believe it is a trojan cite the fact that it requires the user to download and run the attachment to make it replicate. One particularly interesting case says that the worm needs to send a small piece of itself like an exploit to determine if the system is hospitable or not. Currently the Virus Encyclopedia refers to the Christmas Tree program as a worm.

Holiday-themed worms and viruses became a common theme since worms and viruses became so popular. The big worm threat of the next year would be the Father Christmas worm. There is a variant of the Vienna virus named Chionka (Polish for christmas tree) that displays a very similar tree and greeting. A virus a couple years later named Tannenbaum, also from Germany, would be notable for displaying an ASCII Christmas tree. In the era of worms in the early 2000's, worms such as Quizy and Navidad have Christmas mentioned in their email or attachment as a tactic to get the user to open them. Dasher was likely named for making its run around the time of the Christmas holiday. Maldal has a Christmas theme as a part of its payload.


Ross Patterson. The Risks Digest, "Re: IBM Christmas Virus", Volume 5: Issue 80. 1987.12.21

VX Heavens, "Viruses for the "Exotic" Platforms".

Otto Stolz. VIRUS-L Digest, Volume 5, Issue 178, "Re: CHRISTMA: The "Card"! (CVP)". 1992.11.12

Bridget Rutty, -, -, Issue 195. 1992.12.02

Wes Morgan. Computer Underground Digest, Volume 2, Issue #2.07. 1990.10.15

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License