|Place of Origin||Neuchatel, Switzerland|
|File Type(s)||.com (DCL script file)|
The worm, a file named HI.COM, copies itself from one DECNET node to another. The worm on the infecting node attempts to run the copy of itself on the target node, either by Task Object 0, a program that allows task-to-task jobs to be run between two computer systems, or by using DECNET as both a username and password. If it is unable to run the copy on the target system, it will delete the HI.COM file on the target system.
If the infection is successful, HI.COM will load into the memory. It will use the process name MAIL_178DC and delete the HI.COM file. The worm then sends a SYS$ANNOUNCE banner to 20597::PHSOLIDE. The worm then checks the system clock. If the date is past 1988.12.24 at 00:00 and before 00:30, it creates a list of all users on the system sends an email to them. If it is past 00:30, the worm will simply stop executing.
The message will look something like this:
From: NODE::Father Christmas 24-DEC-1988 00:00 To: You... Subj: Christmas Card. Hi, How are ya ? I had a hard time preparing all the presents. It isn't quite an easy job. I'm getting more and more letters from the children every year and it's not so easy to get the terrible Rambo-Guns, Tanks and Space Ships up here at the Northpole. But now the good part is coming. Distributing all the presents with my sleigh and the deers is real fun. When I slide down the chimneys I often find a little present offered by the children, or even a little Brandy from the father. (Yeah!) Anyhow the chimneys are getting tighter and tighter every year. I think I'll have to put my diet on again. And after Christmas I've got my big holidays :-). Now stop computing and have a good time at home !!!! Merry Christmas and a happy New Year Your Father Christmas
In searching for a new system to infect, Father Christmas generates a random number. If the number is 0 or anything greater than 63*1024, the worm generates a new number. When a number fitting its specifications is found, it will send a copy of HI.COM to the new target.
The worm will not replicate after 1988.12.24 00:00.
The worm was only able to execute on a few systems. About 6,000 systems were reported to have received the HI.COM file, but less than 2% actually executed the the worm.
Father Christmas was released at the University of Neuchatel in Switzerland on 1988.12.22 at 21:52, Swiss time (20:52. GMT, or 16:52 Eastern United States time). It reached the Goddard Space Flight Center, located in a suburb of Washington DC, around 17:00, 8 minutes after being released.
The creator was never found. Several different people had access to the account PHSOLIDE, which sent the worm. An investigation determined that all logins to the account were valid, while some coming through the terminal server were suspect. The creator likely released the worm on campus.
The .com in the HI.COM file is not the same as that of a DOS executable. A DOS .com is a binary, while .com in this case is a DCL script file.
Pat Sisson, SPAN Security. "FATHER CHRISTMAS" WORM REPORT. 1989.02.06
Patricia L. Sisson, James L. Green. "The Father Christmas Worm". 1989 June (PDF)
VX Heavens. Viruses for the "Exotic" Platforms, "Father Christmas" (HI.COM)