Anti-WANK and WANK_SHOT
R. Kevin Oberman (from DOE) and John McMahon (from NASA) wrote separate versions of an anti-WANK procedure and deployed them into their respective networks. It exploited the fact that before infecting a system, WANK would check for "NETW_(random number)", that is a copy of its own, in the process table. If one was found, the worm would destroy itself. When anti-WANK was run on a non-infected system, it would create a process named "NETW_(random number)" and just sit there. anti-WANK only worked against the earlier version of the worm, though, because the process name of the worm in a later version was changed to "OILZ".
Bernard Perrot of Institut de Physique Nucleaire in Orsay wrote a second program. The worm was trained to go after the RIGHTSLIST database, the list of all the people who have accounts on the computer. By renaming the database and putting a dummy database in its place, the worm would, in theory, go after the dummy, which could be designed with a hidden bomb. Ron Tencati, the SPAN Security Manager, obtained a copy of the French manager’s worm-killing program and gave it to McMahon, who tested it. It was then distributed to system administrators of both networks to be installed onto their computers. It still took weeks for the worm to be completely erased from the network.
Read more about this topic: WANK (computer Worm)