Good afternoon all, I do not believe in postings regarding viruses because most people run crazy with them before they even check them out. Because of the volume of work I do on the Internet, I am subscribed to Norton & thier lists for updates. This just came to me. I thought you all might want to know because I am not the only one downloading and accepting files. Addie ========================== R U S H - K I L L E R V I R U S A L E R T! At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) the FBI announced it had discovered malicious code wiping out the data on hard drives and dialing 911. This is a vicious virus and needs to be stopped quickly. That can only be done through wide-scale individual action. Please forward this note to everyone who you know who might be affected. The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm The 911 virus is the first "Windows shares virus." Unlike recent viruses that propagate though eMail, the 911 virus silently jumps directly from machine to machine across the Internet by scanning for, and exploiting, open Windows shares. After successfully reproducing itself in other Internet-connected machines (to assure its continued survival) it uses the machine's modem to dial 911 and erases the local machine's hard drive. The virus is operational; victims are already reporting wiped-out hard drives. The virus was launched through AOL, AT&T, MCI, and NetZero in the Houston area. The investigation points to relatively limited distribution so far, but there are no walls in the Internet. ----------------- Action 1: Defense ----------------- Verify that your system and those of all your coworkers, friends, and associates are not vulnerable by verifying that file sharing is turned off. * On a Windows 95/98 system, system-wide file sharing is managed by selecting My Computer, Control Panel, Networks, and clicking on the File and Print Sharing button. For folder-by-folder controls, you can use Windows Explorer (Start, Programs, Windows Explorer) and highlight a primary folder such as My Documents and then right mouse click and select properties. There you will find a tab for sharing. * On a Windows NT, check Control Panel, Server, Shares. For an excellent way to instantly check system vulnerability, and for detailed assistance in managing Windows file sharing, see: Shields Up! A free service from Gibson Research (http://grc.com/) ------------------- Action 2: Forensics ------------------- If you find that you did have file sharing turned on, search your hard drive for hidden directories named "chode", "foreskin", or "dickhair" (we apologize for the indiscretion - but those are the real directory names). These are HIDDEN directories, so you must configure the Find command to show hidden directories. Under the Windows Explorer menu choose View/Options: "Show All Files". If you find those directories: remove them. And, if you find them, and want help from law enforcement, call the FBI National Infrastructure Protection Center (NIPC) Watch Office at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job of getting data out early on this virus and deserves both kudos and cooperation. You can help the whole community by letting both the FBI and SANS (intrusion@sans.org) know if you've been hit, so we can monitor the spread of this virus. -------------- Moving Forward -------------- The virus detection companies received a copy of the code for the 911 Virus early this morning, so keep your virus signature files up-to-date. We'll post new information at www.sans.org as it becomes available. Prepared by: Alan Paller, Research Director, The SANS Institute Steve Gibson, President, Gibson Research Corporation Stephen Northcutt, Director, Global Incident Analysis Center SYMANTEC Advanced Search AntiVirus Research Center Download Updates Virus Encyclopedia Virus Hoaxes Reference Area Submit Virus Samples © 1995-2000 Symantec Corporation All rights reserved. Legal Notices Privacy Policy BAT.Chode.Worm Detected as: BAT.Chode.Worm Aliases: Chode, Foreskin, BAT911 Infection Length: Multiple batch files Area of Infection: Shared drive Trigger Dates: 19th of the month Characteristics: Worm, Batch Description BAT.Chode.Worm is an internet-worm that uses BAT files. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has its C drive shared, it will copy its files into the other computer. Technical Description BAT.Chode.Worm uses multiple BAT files and some system programs to spread itself through an internet connection. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has a shared drive that is not password protected, the worm checks for the presence of the file C:\WINDOWS\WIN.COM. If such file presents, it assumes the shared drive is the C drive of the other computer. It will then copy its files into the other computer's C:\PROGRA~1\CHODE directory. The main batch file assumes it is running from C:\PROGRA~1\CHODE directory. When launched, it searches for an accessible subnet on several ISPs: att.net (ATT Worldnet) bellsouth.net (BellSouth Net) level3.net (Level3 Net) aol.com (America Online) mindspring.com (Mindspring) earthlink.net (Earthlink) air.on.ca (Air.Internet in Canada) psi.net (PSInet) Once the worm finds an accessible subnet, it will search for an accessible shared drive. If there is no accessible shared drive in the subnet, it will repeat the subnet search above. Once the worm finds an accessible shared drive, it will do a quick test to see if the drive is the C drive. If it is the C drive, it will map the shared drive. After mapping the drive, it makes sure that it hasn't infected this mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Then, it verifies the writability of the drive, and proceeds to copy its files to the other computer. While copying its files to the other computer, it adds the following: a call to a batch file that dials 911 using the computer modem into the C:\AUTOEXEC.BAT. This modification is done one out of five times. ashield.pif into the Program-StartUp of the infected machine. This PIF file hides the worm when it is launched. netstat.pif into the Program-StartUp of the infected machine. This PIF file hides the netstat utility that it uses. winsock.vbs into the Program-StartUp of the infected machine. This VBS carries its payload. Log the infection in the file C:\PROGRAM FILES\chode\chode.txt of the source computer. The worm also uses a freeware utility to hide its activity. The freeware utility is a win32 program that the worm names ASHIELD.EXE. NAV will not detect this utility. Payload The WINSOCK.VBS is lauched when Windows starts on an infected computer. On the 19th of the month, this VBS script deletes files from the following directories: C:\windows C:\windows\system C:\windows\command C:\Then, it displays two message boxes: You Have Been Infected By Chode You may now turn this piece of shit off! Repair Notes Delete the C:\Program Files\Chode directory. Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS Thank you, Jack & Addie Morrissey Remember "The Truth Is Out There" Proper Citation is essential to a credible genealogy =============== cuznsrus@mindspring.com Our Home Page: http://www.geocities.com/Heartland/5978/ PROUD MEMBER OF: G. J. W. Chapter of the DAR http://www.geocities.com/Heartland/Meadows/3361 County Coordinator for USGenWeb Project Colorado Counties: Hinsdale Cty. http://www.rootsweb.com/~cohinsda/index.htm Kit Carson Cty. http://www.rootsweb.com/~cokitcar/index.htm La Plata Cty. http://www.rootsweb.com/~colaplat/colaplat.htm San Juan Cty. http://www.rootsweb.com/~cosanjua/index.htm Colorado USGenWeb Photo Archive Coordinator / Webmaster: http://www.rootsweb.com/~cophotos/index.htm List owner for the following Rootsweb County Mail Lists: Hinsdale, Kit Carson, La Plata & San Juan Counties Colorado Webmaster for Morris Family Association: http://genweb.net/~morris/ Member of NEHGS Member of Brown Family Genealogical Society Member of Disabled Veterans Association