I am on a quest to uncover and save/archive the worm code that spread on the NASA/DoE/CERN/EASYNET DECNet in 1989.
I have recovered two variants (of the initial WANK worm). Those are now publicly accessible.
There are AT LEAST two (maybe more) additional variants - one that has a line to avoid infecting the New Zealand DECNET area, one that uses the process name OILZ_* instead of NETW_*.
It’s a real hail mary pass, but if folks here have seen samples, I’d love to talk to you.
Welcome! If you’ve recovered two variants, please publish and share! (Archive.org will take anything)
For reference, as you’ve probably done this, I searched and found a couple of relevant Usenet threads:
Unix Virus Query by Terry Arnold 28 Jul 1994 (19 messages)
I was asked a question today about Unix virus detection utilities and how many
Unix viruses were around. I am now passing the questions on to this august
body.
WANK worm infects VMS computers at NASA/DOE by Julian Assange 22 Jun 1997
This now book looks kind of interesting
Underground; Tales of Hacking, Madness and Obsession on the Electronic
Frontier, by Suelette Dreyfus; published by Mandarin (Random House
Australia); (P) 475 pages with bib. http://www.underground-book.com/
Edit: related resources perhaps
A README found in this directory with advisories and descriptions
This file: ftp://ftp.cert.dfn.de/pub/docs/worm/decnet/01-README
information about this subdirectory:
Two known worms attack SPAN/HEPNet in 1988 and 1989. They were
named “Father Christmas” and “WANK”/“OILZ”.
file: /pub/docs/worm/decnet/CA-89:04.decnet.wank.worm.gz (3781 Bytes)
Warning about the “WANK” worm which attacked DECnet hosts.file: /pub/docs/worm/decnet/a-02.ciac-vms-worm-w_com.gz (3891 Bytes)
The W.COM Worm affecting VAX VMS Systems.file: /pub/docs/worm/decnet/a-03.ciac-wank-worm.gz (5138 Bytes)
Tools available to check the spread of the “WANK” Worm.file: /pub/docs/worm/decnet/a-04.ciac-new-wank-worm.gz (2450 Bytes)
Information about a new version of the “WANK” worm.file: /pub/docs/worm/decnet/ddn-mgt-bulletin-50.txt.gz (3551 Bytes)
Worm (Benign) / DDN Network Info Center. - DDN MGT Bulletin 50.
- Dec 23, 1988.
file: /pub/docs/worm/decnet/ddn-sec-bulletin-03.txt.gz (4313 Bytes)
W.COM (“WANK”) WORM ON SPAN NETWORK / DDN Network Info Center. -
DDN Security Bulletin 03. - Oct 18, 1989.file: /pub/docs/worm/decnet/wank-01.txt.gz (7541 Bytes)
INFORMATION REGARDING THE DECNET WORM AND PROTECTION MEASURES / SPAN
MANAGEMENT OFFICE. - INTRANETWORK MEMORANDUM. - Oct 19, 1989.file: /pub/docs/worm/decnet/wank-02.txt.gz (848 Bytes)
Another Memo from Ron Tencati, dated Oct 23, 1989.file: /pub/docs/worm/decnet/wank-03.txt.gz (3310 Bytes)
SECURITY GUIDELINES TO BE FOLLOWED IN LATEST WORM ATTACK / SPAN MANAGEMENT
OFFICE. - INTRANETWORK MEMORANDUM. - Oct 30, 1989.file: /pub/docs/worm/decnet/wank-04.txt.gz (1919 Bytes)
NETWORK SECURITY SUPPLEMENTAL INFORMATION - PROTECTING THE DECNET ACCOUNT
/ Ron Tencati.
Edit: the text of the worm’s announcement
W O R M S A G A I N S T N U C L E A R K I L L E R S
_______________________________________________________________
\__ ____________ _____ ________ ____ ____ __ _____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / /
\ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ /
\_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/
\___________________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_____________________________________________/
You talk of times of peace for all, and then prepare for war.
Samples are stored here, on Virus History Project.
(There’s a lot of code for other OS’s as well)
Usenet:
Thank you 
Yeah I’ve prowled those threads. I also used to hang out on those groups back in the day. The downside is that posting malcode on those groups was very much frowned upon, so there’s not a lot to be found. Samples were exchanged on email or ftp, usually pgp’d. So I’m really down to what individuals have somehow stored since then.