Father Christmas
Father Christmas
Type Internet worm
Date Discovered 1988.12.22
Place of Origin Neuchatel, Switzerland
Source Language DCL
Platform VAX/VMS
File Type(s) .com (DCL script file)
Infection Length
Reported Costs

Father Christmas was an early worm that had a run through the early DECNet Internet only a few days before Christmas in 1988. It appeared less than two months after the Morris worm.


The worm, a file named HI.COM, copies itself from one DECNET node to another. The worm on the infecting node attempts to run the copy of itself on the target node, either by Task Object 0, a program that allows task-to-task jobs to be run between two computer systems, or by using DECNET as both a username and password. If it is unable to run the copy on the target system, it will delete the HI.COM file on the target system.

If the infection is successful, HI.COM will load into the memory. It will use the process name MAIL_178DC and delete the HI.COM file. The worm then sends a SYS$ANNOUNCE banner to 20597::PHSOLIDE. The worm then checks the system clock. If the date is past 1988.12.24 at 00:00 and before 00:30, it creates a list of all users on the system sends an email to them. If it is past 00:30, the worm will simply stop executing.

The message will look something like this:

  From:   NODE::Father Christmas     24-DEC-1988  00:00
  To:  You...
  Subj:   Christmas Card.


  How are ya ? I had a hard time preparing all the  presents.  It
  isn't quite an easy job. I'm getting more and more letters from
  the children every year and it's not so easy to get the terrible
  Rambo-Guns, Tanks and Space Ships up here at the 
  Northpole. But now the good part is coming.  Distributing all 
  the presents with my sleigh and the deers is real fun. When I
  slide down the chimneys I often find a little present offered by
  the children, or even a little Brandy from the father.  (Yeah!) 
  Anyhow the chimneys are getting tighter and tighter every 
  year. I think I'll have to put my diet on again.  And after

  Christmas I've got my big holidays :-).

  Now stop computing and have a good time at home !!!!

  Merry Christmas
  and a happy New Year

  Your  Father Christmas

In searching for a new system to infect, Father Christmas generates a random number. If the number is 0 or anything greater than 63*1024, the worm generates a new number. When a number fitting its specifications is found, it will send a copy of HI.COM to the new target.

The worm will not replicate after 1988.12.24 00:00.


The worm was only able to execute on a few systems. About 6,000 systems were reported to have received the HI.COM file, but less than 2% actually executed the the worm.

Other Facts

Father Christmas was released at the University of Neuchatel in Switzerland on 1988.12.22 at 21:52, Swiss time (20:52. GMT, or 16:52 Eastern United States time). It reached the Goddard Space Flight Center, located in a suburb of Washington DC, around 17:00, 8 minutes after being released.

The creator was never found. Several different people had access to the account PHSOLIDE, which sent the worm. An investigation determined that all logins to the account were valid, while some coming through the terminal server were suspect. The creator likely released the worm on campus.

The .com in the HI.COM file is not the same as that of a DOS executable. A DOS .com is a binary, while .com in this case is a DCL script file.


Pat Sisson, SPAN Security. "FATHER CHRISTMAS" WORM REPORT. 1989.02.06

Patricia L. Sisson, James L. Green. "The Father Christmas Worm". 1989 June (PDF)

VX Heavens. Viruses for the "Exotic" Platforms, "Father Christmas" (HI.COM)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License