Hi Everyone, I got this today, and personally checked it out on the net. You may have already heard of it. I believe that it is not a hoax. If it is a hoax, it is quite an elaborate one. Towards the end of the message are instructions on checking to see if your computer is set up to share files/printer, and if it is, how to check for the worm and what to do if you find it. I have checked our computer and we were not set up to share files/printers, so from what I read here, our computer is safe. Also, whoever started up this worm chose crude names for the directory names, so be prepared. However, spread the word (not the worm ;->)! Here are some URL's to check out, if you wish: <A HREF="http://grc.com/su-911.htm">Click here: Shields UP! -- Internet Connection Security Analysis</A> or: http://grc.com/su-911.htm <A HREF="http://www.nipc.gov/nipc/nipcaaw.htm">Click here: Advisories, Alerts, and Warnings</A> or: http://www.nipc.gov/nipc/nipcaaw.htm Heidi Page ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ No hoax. This comes "straight from the horses mouth" so please be aware..read on. 02 April 2000 NOTE TO ALL: The following message is a very serious virus alert. Please circulate it to your email correspondents. The FBI has just advised of the existence of a newly identified 911 virus which, if it infects your computer, will dial 911 and then erase your hard drive. You WON'T get this virus as an email attachment. Unfortunately this one can simply be planted on your computer if you currently have it set up to share files or printers, which is a common setup for many computers. To be infected you only need to be connected to the Internet. While you are connected to your Internet Service Provider a remote malicious scanner could probe your computer for entry into any one of its 65,535 TCP-IP ports and then silently load the virus onto your hard drive once the remote scanner has found your computer to be vulnerable. Strictly speaking this is a "worm" more than a "virus" since worms propagate and reproduce themselves without any sort of user involvement or action, whereas a virus requires some inadvertent action on the part of the user. This new worm's payload triggers on the 19th of the month and deletes files from crucial Windows system directories. (You want to be very sure that your system is not infected with it at that time!) For information on detection and removal of this new threat: CLICK on the web site below: http://grc.com/su-911.htm Symantec has a thorough technical analysis of this new worm virus at: http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html I read the information contained in this message below and checked it out as thoroughly as I could. It appears to be genuine in its entirety. The same information is available on the FBI web page also indicated below. The technical information in this message tells you how to protect your hard drive from being erased if you are attacked by this most serious of internet spread viruses (or worms) seen to date. I'm familiar with the authors who prepared the message below and know them to be some of the best in the anti-virus business. You will do all of your friends a great service by forwarding this message to them immediately. This warning comes from a new federal government center known as the "National Infrastructure Protection Center" located at FBI headquarters. More details on the malicious 911 virus are given below. If you have Norton antiviral software you should download the new virus signature lists immediately. - --------------------------------- Current FBI Advisories, Alerts and Warnings from NIPC http://www.fbi.gov/nipc/nipcaaw.htm ------W A R N I N G N O T I C E-------- NIPC Information System Advisory 00-038: SELF PROPAGATING 911 SCRIPT (Issued at 8:00 a.m. EST, 04/01/2000) At 8:00 am on Saturday, April 1 (This is NOT an April Fool's joke!) the FBI announced it had discovered malicious code erasing data on hard drives and dialing 911. This is a vicious virus and needs to be stopped quickly. This can only be done through wide-scale individual action. Please forward this note to everyone you know who might be affected. The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm The 911 virus is the first "Windows shares virus." Unlike recent viruses that propagate though eMail, the 911 virus silently jumps directly from machine to machine across the Internet by scanning for, and exploiting, open Windows shares. After successfully reproducing itself in other Internet-connected machines (to assure its continued survival) it uses the machine's modem to dial 911 and erases the local machine's hard drive. The virus is operational; victims are already reporting wiped-out hard drives. The virus was launched through AOL, AT&T, MCI, and NetZero in the Houston area. The investigation points to relatively limited distribution so far, but there are no walls in the Internet. Other FBI computer related protection links http://www.fbi.gov/nipc/inthenews.htm http://www.fbi.gov/nipc/links.htm ----------------- Action 1: Defense against the current 911 virus ----------------- Verify that your system and those of all your coworkers, friends, and associates are not vulnerable by verifying that file sharing is turned off. * On a Windows 95/98 system, system-wide file sharing is managed by selecting My Computer, Control Panel, Networks, and clicking on the File and Print Sharing button. For folder-by-folder controls, you can use Windows Explorer (Start, Programs, Windows Explorer) and highlight a primary folder such as My Documents and then right mouse click and select properties. There you will find a tab for sharing. * On a Windows NT, check Control Panel, Server, Shares. For an excellent way to instantly check system vulnerability, and for detailed assistance in managing Windows file sharing, see: Shields Up! A free service from Gibson Research (http://grc.com/) ------------------- Action 2: Forensics ------------------- If you find that you did have file sharing turned on, search your hard drive for hidden directories named "chode", "foreskin", or "dickhair" (we apologize for the indiscretion - but those are the real directory names). These are HIDDEN directories, so you must configure the Find command to show hidden directories. Under the Windows Explorer menu choose View/Options: "Show All Files". If you find those directories: remove them. And, if you find them, and want help from law enforcement, call the FBI National Infrastructure Protection Center (NIPC) Watch Office at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job of getting data out early on this virus and deserves both kudos and cooperation. You can help the whole community by letting both the FBI and SANS (intrusion@sans.org) know if you've been hit, so we can monitor the spread of this virus. -------------- Moving Forward -------------- The virus detection companies received a copy of the code for the 911 Virus early this morning, so keep your virus signature files up-to-date. We'll post new information at www.sans.org as it becomes available. Prepared by: Alan Paller, Research Director, The SANS Institute Steve Gibson, President, Gibson Research Corporation Stephen Northcutt, Director, Global Incident Analysis Center