Excerpt from the Wikipeida article about the worm's author:

Morris is an American professor at Massachusetts Institute of Technology. He co-founded the online store Viaweb, one of the first web-based applications, with Paul Graham.

http://en.wikipedia.org/wiki/Robert_Tappan_Morris

He also wrote a good chunk of the code you used to post this comment.

He also worked on Chord, which became a basis for distributed hash tables and a few other things. He is as successful as a researcher as he has been with the whole gaining tenure and doing viaweb/ycombinator with pg thing.

Frankly he's up there with Steve Jobs and maybe Fabrice Bellard in terms of "people who I'd like to know what it is they're doing so right so consistently." It's the consistency that tends to surprise me.

"Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.[6]"

This looks like it's not the original source code and was just reconstructed by hand from a disassembly/"decompile" of the worm.

Yep, that's correct--as far as I know, the original source code isn't actually available anywhere.

Three independent groups, at Berkeley, MIT, and Purdue disassembled the .o and poked at its contents, slowly figuring it out.

Mark Eichin's timeline (http://web.mit.edu/user/e/i/eichin/www/virus/chronology.html) is a fun read, written from the MIT viewpoint, that chronicles how the Unix nerd community basically sprung up to dissect and deal with the worm, and contains a section on their attempts to disassemble the worm.

Just out of curiosity, what makes you think that?

The comments, mostly. For example:

    object objects[69];				/* Don't know how many... */
    
    /* This report a sucessful breakin by sending a single byte to "128.32.137.13"
     * (whoever that is). */

    /* This appears to be a structure unique to this program.  It doesn't seem that
     * the blank slots are really an array of characters for the hostname, but
     * maybe they are.
     */

    /* There are pieces of "stub" code, presumably from something like this to
       get rid of error messages */

>>(whoever that is)

Berkeley, apparently.

the offset is there as a comment next to each declaration.

here is the original source code:

http://en.wikipedia.org/wiki/File:Morris_Worm.jpg

That's a picture of a floppy disk in a museum, though -- and it too probably contains the disassembled source code :)

If I had to guess, the only people who had access to the original source are rtm, whoever he gave it to, and whoever accessed his account at Cornell when they looked through his homedir.

And it's unlikely that any of them would have distributed it. Remember, at the time this code was potentially really dangerous; this was essentially a new type of attack that folks weren't really ready or prepared to defend against.

If anybody's curious: http://en.wikipedia.org/wiki/Morris_Worm

More hilarious, though, is the local news coverage of the event: http://www.youtube.com/watch?v=G2i_6j55bS0

I love the taglines (somebody make this movie!):

"The students were safe. Their computers weren't."

"The suspect, somewhere, a dark genius."

"I suspect it's an 'A' student. A good 'A' student."

The footage of E.T. for the Atari 2600 was a nice, if utterly nonsensical, touch.

Don't forget his father Robert T. Morris Sr., who wrote the passwd program for Unix and worked at the NSA when the worm got loose.

This isn't the actual source code. As far as I know, only a small piece of the real worm's code ever got published, and that was in the Cornell Report, Cornell University's post mortem. This isn't the code in the Cornell Report.

Someone in 1989 or 1990 ran an ad in the back of "2600" magazine, selling the source code on paper. I bought a copy back then, I can remember the date because of the apartment I was in when I read the code. I think the "2600" version is the same as this one, but with someone different header comments.

I have a copy of this code from a tar archive with date of 1991-06-05 on it, so it's been floating around the Internet for almost 20 years at this point.

@gnosis and sparky,

text offsets are also put in comments next to the function declarations. For example: "h_clean() /* 0x31f0 */"

@tylernol: you know this is a threaded conversation forum, right? Click "reply" (right under the comment you want to discuss) next time, and your comment will be nested properly.

Indeed. Those I figured were from a tool, but the ones with confused-sounding prose were dead giveaways.

I wonder how he devised (or found) the list of potential passwords (cracksome.c.txt)

according to legend, this was supposed to be merely a proof of concept, but a bug in the code caused it to replicate uncontrollably. does anybody know what that bug was?

> The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times.[2] This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."

-http://en.wikipedia.org/wiki/Morris_worm

"One in seven?! rtm, you jerk! Why seven?"

Excerpted from the book Cyberpunk: Outlaws and Hackers on the Computer Frontier (published 1991). The quoted speaker is Paul Graham.

tar ball http://www.foo.be/docs-free/morris-worm/worm-src.tar.gz