Went into Explorer and searched for a file created/named either Chode, Dickhair or Foreskin, and it was there... created several hours earlier. Just deleted the file, then deleted it from my Recycle Bin. -----Original Message----- From: CID at KID'S CORNER <cathez@teleport.com> To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> Date: Sunday, April 02, 2000 9:56 PM Subject: Re: [KNAPP] You guys are life savers >how did you check it and get rid of it.? >Cathy >-----Original Message----- >From: Melody Campagna <droponin@home.com> >To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> >Date: Sunday, April 02, 2000 7:02 PM >Subject: [KNAPP] You guys are life savers > > >>Managed to get rid of it but will check daily to see if it comes back. >>Melody(Knapp) Campagna >>http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ >> >> > >

Okay, I think I've figured out why we all (including me...I got it, too) got this...It's the way our networking is set up. Our port 139's are wide open and THAT's how the worm is getting into our systems. I HIGHLY recommend going to the GRC site (Shields Up!) at: http://grc.com/su-911.htm and read the instructions on "What Can I Do?" and "Network Bondage" (You'll find the links at the bottom of the page). There are instructions to help you close up your Port 139. Then there's a test to make sure it's closed, and I'm about to go take it. Wish me luck! Heidi

I had it on two computers; one with AOL and one with the local cable modem. So it isn't just this list. It freaks me out because I have a home based secretarial service and I can't be giving my clients viruses!! Like Ellen says, why people can't use their creativity to do good instead of evil is any person's guess. So sad.....

That IS scary...I've been through my files fairly thoroughly already this morning (I did the FIND thing in Windows Explorer and it didn't come up with anything), plus I've checked my Temp files and Temp Internet files. Is there anything else we should be checking? Where else would it be? Heidi

Mine aren't checked and I still got it. That is what worries me!!

In a message dated 4/3/00 8:04:41 AM Central Daylight Time, LDSMommy@aol.com writes: << ody, Have you turned off your file & printer sharing mode? If you have windows 95 or 98, go to My Computer (should be on your desktop), Control Panel, Network, and then when that window pops up, find the bar that says something like "Sharing" and then make sure there are no check marks in the boxes that say you want to share files and share your printer. Heidi >> Since I know nothing of computers-What is "file & printer sharing mode"????? If I am in it-why am I in it. I will check out like you said to do, but what will I lose if I turn it off? thanks (not dumb, just don't know computers) Shirley

Melody, Have you turned off your file & printer sharing mode? If you have windows 95 or 98, go to My Computer (should be on your desktop), Control Panel, Network, and then when that window pops up, find the bar that says something like "Sharing" and then make sure there are no check marks in the boxes that say you want to share files and share your printer. Heidi

Melody, There are a couple of URL's (or even phone numbers, if I recall correctly) at which you can report this, and they might know how to get rid of it. I would check Symantec's site also. Good luck! Heidi

I just found it too!!! EVERYONE on this list should check their computers!! Looks like we are possibly "passing it around". I just hope deleting it worked. Is there anyone out there on windows '98 who can tell me how to find out if you are set up to share files or not? I looked and it does not look like I am set up, but I still got it. I must have done something wrong! Also, how do I find the hidden files/folder for explorer to search? I told it to search everything. I apologize for using this list for this reason, but I think it is affecting us all and we need to get rid of it! Thanks! Kim

People on this list sent the url so I went there then checked what they said to check and it was in windows temporary. Melody(Knapp) Campagna http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ ----- Original Message ----- From: CID at KID'S CORNER <cathez@teleport.com> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 6:55 PM Subject: Re: [KNAPP] You guys are life savers > how did you check it and get rid of it.? > Cathy > -----Original Message----- > From: Melody Campagna <droponin@home.com> > To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> > Date: Sunday, April 02, 2000 7:02 PM > Subject: [KNAPP] You guys are life savers > > > >Managed to get rid of it but will check daily to see if it comes back. > >Melody(Knapp) Campagna > >http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > > > >

Thanks Melody(Knapp) Campagna http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ ----- Original Message ----- From: Ellen <ellenrudd@ameritech.net> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 7:58 PM Subject: Re: [KNAPP] You guys are life savers > Click on Start, then select Find from the menu. Type in chode in the file > name box. It will find it. You can delete it right from there. It was in > a Windows/Program file. I went in to Windows Explorer, Temporary AND > Temporary Internet, and deleted all the files in those folders as well just > for good measure, but that was probably over-kill. > > Ellen > ----- Original Message ----- > From: CID at KID'S CORNER <cathez@teleport.com> > To: <KNAPP-L@rootsweb.com> > Sent: Sunday, April 02, 2000 8:55 PM > Subject: Re: [KNAPP] You guys are life savers > > > > how did you check it and get rid of it.? > > Cathy > > -----Original Message----- > > From: Melody Campagna <droponin@home.com> > > To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> > > Date: Sunday, April 02, 2000 7:02 PM > > Subject: [KNAPP] You guys are life savers > > > > > > >Managed to get rid of it but will check daily to see if it comes back. > > >Melody(Knapp) Campagna > > >http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > > > > > > > > > >

https://grc.com/x/ne.dll?bh0bkyd2 This link will let you know if you can be accessed. If you need a firewall which blocks access please email me and I will send the attachement. I just received it after finding I was wide open to the virus you guys posted. Melody(Knapp) Campagna http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/

Managed to get rid of it but will check daily to see if it comes back. Melody(Knapp) Campagna http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/

I also have it but mine won't let me delete it it says it is write protected so now what? I'm running Norton 2000 now and hope it will pick it up. Help before the 19th hits as thats when it activates. Melody(Knapp) Campagna http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ ----- Original Message ----- From: <JKRINGER@aol.com> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 6:03 PM Subject: Re: [KNAPP] I had the worm > I have it too. I wonder if the download sites actually give it to you!! > >

Yes. But, when you find it in Find, you can delete it from there. I just checked the additional files mentioned on the Symantec site, ashield.pif, netstat.pif, and winsock.vbs, and I don't have any of them. So, deleting the chode file apparently got rid of all of them. I also just spent an hour and half letting Norton run a scan on my whole hard drive and it didn't find anything, not that it finds 100% of the viruses. The payload isn't delivered until the 19th, so it's probably safe not to check every day until the 18th, at which time ALL of us who receive lots of e-mail should do a FIND on chode to make sure we haven't gotten it between now and then. People who have it don't know they're sending it. We just checked, so we found we've got it. But, we can't make the whole world aware. I have a ton of friends on aol and its one of the biggest propagators of viruses because of the size of its subscribers. But, other ISPs are involved as well. We're on lists, we've got friends, we've been warned. I'll be checking again on the 18th and not opening my mail at home on the 19th. I don't care at school. I don't save stuff on my hard drive there and they'll buy a new computer for me if it gets wiped out anyway. Furthermore, the network admin's job is to keep us *clean*. I've sent him everything, so he's well fore-warned. But, as near as I can tell, w/o shared files and printers selected in Network in the Control Panel, it can't do its thing anyway. It's just that we're sending it to people who might have home networks, home businesses, etc. And, I wouldn't/won't take a chance that it doesn't work w/o shared stuff anyway. As an aside, I want to thank the list for this info. Since I teach in the Dept of Computer Technology at a major university, the network admin would probably have been alerted tomorrow by his sources and he'd have alerted us. In the meantime, I've sent out a lot of mail tonight and I would have sent it out to a dozen people unknowingly if I hadn't been warned to check before I sent any mail. Does this have anything to do with genealogy? Hell, YES. If you're genealogy is on your hard drive, it could all go down the tubes with this w/o a back up. Ellen ----- Original Message ----- From: Melody Campagna <droponin@home.com> To: <KNAPP-L@rootsweb.com> Sent: Monday, April 03, 2000 1:21 AM Subject: Re: [KNAPP] You guys are life savers > People on this list sent the url so I went there then checked what they said > to check and it was in windows temporary. > Melody(Knapp) Campagna > http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > ----- Original Message ----- > From: CID at KID'S CORNER <cathez@teleport.com> > To: <KNAPP-L@rootsweb.com> > Sent: Sunday, April 02, 2000 6:55 PM > Subject: Re: [KNAPP] You guys are life savers > > > > how did you check it and get rid of it.? > > Cathy > > -----Original Message----- > > From: Melody Campagna <droponin@home.com> > > To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> > > Date: Sunday, April 02, 2000 7:02 PM > > Subject: [KNAPP] You guys are life savers > > > > > > >Managed to get rid of it but will check daily to see if it comes back. > > >Melody(Knapp) Campagna > > >http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > > > > > > > >

Me too...on both counts! -----Original Message----- From: JKRINGER@aol.com <JKRINGER@aol.com> To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> Date: Sunday, April 02, 2000 8:05 PM Subject: Re: [KNAPP] I had the worm >I have it too. I wonder if the download sites actually give it to you!! > >

Click on Start, then select Find from the menu. Type in chode in the file name box. It will find it. You can delete it right from there. It was in a Windows/Program file. I went in to Windows Explorer, Temporary AND Temporary Internet, and deleted all the files in those folders as well just for good measure, but that was probably over-kill. Ellen ----- Original Message ----- From: CID at KID'S CORNER <cathez@teleport.com> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 8:55 PM Subject: Re: [KNAPP] You guys are life savers > how did you check it and get rid of it.? > Cathy > -----Original Message----- > From: Melody Campagna <droponin@home.com> > To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> > Date: Sunday, April 02, 2000 7:02 PM > Subject: [KNAPP] You guys are life savers > > > >Managed to get rid of it but will check daily to see if it comes back. > >Melody(Knapp) Campagna > >http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > > > > >

I just updated my Norton, which allegedly according to the articles attached in the earlier e-mails is supposed to have a clean-up for it, but I didn't find it in the list of viruses in its catalog. Because I teach at a university, and we get e-mail from all over the world, we're constantly getting viruses on the network. The network administrators usually catch them and clean up the mess for us. I called our network admin at home tonight after I discovered I had this one because the payload is more severe than most. I'm assuming I picked it off from school mail because I do not have shared printers or files selected on my home computer. However, a copy of my school mail is downloaded to my home computer when I read it even though the original is left of the server. I'm assuming it didn't do anything lethal to my home computer because I don't have the shared files and printers selected under network and the others of you who found it on your computers probably still have a hard drive because you didn't have them selected, either. From what I read, it's harmless w/o the network. However, 2 of my colleagues were in the recipient list of the message I suspect was carrying it and I called them at home tonight to tell them to delete the message w/o opening it in the morning because our school computers are set up to share printers and files. We'd be in a hell of a fix if our hard drives were wiped out. Unfortunately, a student is sending this out unaware he's got it. I *teach* computers. This is not a fancy program. I used to be a social worker. There are too many people in this world with exceptional talent who get off on using their gifts by being destructive rather than being constructive. It's why I got out of social work. But, I've discovered I can't escape "evil" even in the world of machinery. Very disappointing. Since this one seems to be rather rampant (based on discovering at least 3 of us have it when it was just *released* yesterday, it's probably a good idea to check for it daily. Ellen ----- Original Message ----- From: Melody Campagna <droponin@home.com> To: <KNAPP-L@rootsweb.com> Sent: Monday, April 03, 2000 12:02 AM Subject: [KNAPP] You guys are life savers > Managed to get rid of it but will check daily to see if it comes back. > Melody(Knapp) Campagna > http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > > >

how did you check it and get rid of it.? Cathy -----Original Message----- From: Melody Campagna <droponin@home.com> To: KNAPP-L@rootsweb.com <KNAPP-L@rootsweb.com> Date: Sunday, April 02, 2000 7:02 PM Subject: [KNAPP] You guys are life savers >Managed to get rid of it but will check daily to see if it comes back. >Melody(Knapp) Campagna >http://www.familytreemaker.com/users/c/a/m/Melody-A-Campagna/ > >

About 15 minutes after logging on to read my mail, I opened up my work mailbox (I teach at a university). While my home computer doesn't have a shared printer or files, my work computer does. I don't actually download mail to my harddrive at home (from the school computer); I just look at them on the server. There was a suspicious message.....no message.....and the rest of the recipients were other faculty. It looked like a virus. I immediately ran a "find" on chode and I had it.....time received about 5 minutes earlier. So, I've got to alert the network folks at school. At any rate, this is for real. I just updated Norton a couple of weeks ago. I've got to do it again. You can't update often enough apparently. Ellen ----- Original Message ----- From: <LDSMommy@aol.com> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 2:55 PM Subject: [KNAPP] Silent '911' Worm ALERT > Hi Everyone, > > I got this today, and personally checked it out on the net. You may have > already heard of it. I believe that it is not a hoax. If it is a hoax, it > is quite an elaborate one. Towards the end of the message are instructions > on checking to see if your computer is set up to share files/printer, and if > it is, how to check for the worm and what to do if you find it. I have > checked our computer and we were not set up to share files/printers, so from > what I read here, our computer is safe. Also, whoever started up this worm > chose crude names for the directory names, so be prepared. However, spread > the word (not the worm ;->)! > > Here are some URL's to check out, if you wish: > <A HREF="http://grc.com/su-911.htm">Click here: Shields UP! -- Internet > Connection Security Analysis</A> > or: http://grc.com/su-911.htm > > <A HREF="http://www.nipc.gov/nipc/nipcaaw.htm">Click here: Advisories, > Alerts, and Warnings</A> > or: http://www.nipc.gov/nipc/nipcaaw.htm > > Heidi Page > ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ > No hoax. This comes "straight from the horses mouth" so please be > aware..read on. > > > 02 April 2000 > > NOTE TO ALL: > The following message is a very serious virus alert. Please circulate it to > your email correspondents. The FBI has just advised of the existence of a > newly identified 911 virus which, if it infects your computer, will dial 911 > and then erase your hard drive. You WON'T get this virus as an email > attachment. Unfortunately this one can simply be planted on your computer if > you currently have it set up to share files or printers, which is a common > setup for many computers. To be infected you only need to be connected to > the Internet. While you are connected to your Internet Service Provider a > remote malicious scanner could probe your computer for entry into any one of > its 65,535 TCP-IP ports and then silently load the virus onto your hard > drive once the remote scanner has found your computer to be vulnerable. > Strictly speaking this is a "worm" more than a "virus" since worms propagate > and reproduce themselves without any sort of user involvement or action, > whereas a virus requires some inadvertent action on the part of the user. > This new worm's payload triggers on the 19th of the month and deletes files > from crucial Windows system directories. (You want to be very sure that your > system is not infected with it at that time!) For information on detection > and removal of this new threat: CLICK on the web site below: > http://grc.com/su-911.htm > > Symantec has a thorough technical analysis of this new worm virus at: > http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html > > I read the information contained in this message below and checked it out as > thoroughly as I could. It appears to be genuine in its entirety. The same > information is available on the FBI web page also indicated below. The > technical information in this message tells you how to protect your hard > drive from being erased if you are attacked by this most serious of internet > spread viruses (or worms) seen to date. I'm familiar with the authors who > prepared the message below and know them to be some of the best in the > anti-virus business. You will do all of your friends a great service by > forwarding this message to them immediately. This warning comes from a new > federal government center known as the "National Infrastructure Protection > Center" located at FBI headquarters. More details on the malicious 911 virus > are given below. If you have Norton antiviral software you should download > the new virus signature lists immediately. > ----------------------------------- > Current FBI Advisories, Alerts and Warnings from NIPC > http://www.fbi.gov/nipc/nipcaaw.htm > > ------W A R N I N G N O T I C E-------- > > NIPC Information System Advisory 00-038: > SELF PROPAGATING 911 SCRIPT > (Issued at 8:00 a.m. EST, 04/01/2000) > > At 8:00 am on Saturday, April 1 (This is NOT an April Fool's joke!) > the FBI announced it had discovered malicious code erasing data on > hard drives and dialing 911. This is a vicious virus and needs to > be stopped quickly. This can only be done through wide-scale > individual action. Please forward this note to everyone you know > who might be affected. > > The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm > > The 911 virus is the first "Windows shares virus." Unlike recent > viruses that propagate though eMail, the 911 virus silently jumps > directly from machine to machine across the Internet by scanning > for, and exploiting, open Windows shares. After successfully > reproducing itself in other Internet-connected machines > (to assure its continued survival) it uses the machine's modem to > dial 911 and erases the local machine's hard drive. The virus is > operational; victims are already reporting wiped-out hard drives. > The virus was launched through AOL, AT&T, MCI, and NetZero in the > Houston area. The investigation points to relatively limited > distribution so far, but there are no walls in the Internet. > > Other FBI computer related protection links > http://www.fbi.gov/nipc/inthenews.htm > http://www.fbi.gov/nipc/links.htm > > ----------------- > Action 1: Defense against the current 911 virus > ----------------- > > Verify that your system and those of all your coworkers, friends, and > associates are not vulnerable by verifying that file sharing is > turned off. > > * On a Windows 95/98 system, system-wide file sharing is managed by > selecting My Computer, Control Panel, Networks, and clicking on the > File and Print Sharing button. For folder-by-folder controls, you > can use Windows Explorer (Start, Programs, Windows Explorer) and > highlight a primary folder such as My Documents and then right mouse > click and select properties. There you will find a tab for sharing. > > * On a Windows NT, check Control Panel, Server, Shares. > > For an excellent way to instantly check system vulnerability, and for > detailed assistance in managing Windows file sharing, see: Shields > Up! A free service from Gibson Research (http://grc.com/) > > ------------------- > Action 2: Forensics > ------------------- > > If you find that you did have file sharing turned on, search your > hard drive for hidden directories named "chode", "foreskin", or > "dickhair" (we apologize for the indiscretion - but those are the > real directory names). These are HIDDEN directories, so you must > configure the Find command to show hidden directories. Under the > Windows Explorer menu choose View/Options: "Show All Files". > > If you find those directories: remove them. > > And, if you find them, and want help from law enforcement, call the > FBI National Infrastructure Protection Center (NIPC) Watch Office > at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary > job of getting data out early on this virus and deserves both kudos > and cooperation. > > You can help the whole community by letting both the FBI and > SANS (intrusion@sans.org) know if you've been hit, so we can > monitor the spread of this virus. > > > -------------- > Moving Forward > -------------- > > The virus detection companies received a copy of the code for the > 911 Virus early this morning, so keep your virus signature files > up-to-date. > > We'll post new information at www.sans.org as it becomes available. > > Prepared by: > Alan Paller, Research Director, The SANS Institute > Steve Gibson, President, Gibson Research Corporation > Stephen Northcutt, Director, Global Incident Analysis Center >