As a last resort, the Worm would open up the file /usr/dict/words, which is a huge file on most systems forming an on line dictionary. It would then try encrypted versions of every word in this dictionary against the encrypted password in /etc/passwd looking for a match. If the word was capitalized in the dictionary, it would be tried a second time in all lower case. As /usr/dict/words contains a huge number of words, this portion of the Worm took an inordinately long time to run.
As before, if a match was found, the function attack-user was called. After the entire dictionary had been tested, the phase counter would be advanced to 4 and no more password cracking would be attempted. At this point, the flow of control would return to the main loop in the doit function. No worm ever got that far since, at the rate at which the Worm operated, it would take around 4 weeks for the Worm to get through the average on-line dictionary. The last running copy of the Worm died after 4 days.