About 15 minutes after logging on to read my mail, I opened up my work mailbox (I teach at a university). While my home computer doesn't have a shared printer or files, my work computer does. I don't actually download mail to my harddrive at home (from the school computer); I just look at them on the server. There was a suspicious message.....no message.....and the rest of the recipients were other faculty. It looked like a virus. I immediately ran a "find" on chode and I had it.....time received about 5 minutes earlier. So, I've got to alert the network folks at school. At any rate, this is for real. I just updated Norton a couple of weeks ago. I've got to do it again. You can't update often enough apparently. Ellen ----- Original Message ----- From: <LDSMommy@aol.com> To: <KNAPP-L@rootsweb.com> Sent: Sunday, April 02, 2000 2:55 PM Subject: [KNAPP] Silent '911' Worm ALERT > Hi Everyone, > > I got this today, and personally checked it out on the net. You may have > already heard of it. I believe that it is not a hoax. If it is a hoax, it > is quite an elaborate one. Towards the end of the message are instructions > on checking to see if your computer is set up to share files/printer, and if > it is, how to check for the worm and what to do if you find it. I have > checked our computer and we were not set up to share files/printers, so from > what I read here, our computer is safe. Also, whoever started up this worm > chose crude names for the directory names, so be prepared. However, spread > the word (not the worm ;->)! > > Here are some URL's to check out, if you wish: > <A HREF="http://grc.com/su-911.htm">Click here: Shields UP! -- Internet > Connection Security Analysis</A> > or: http://grc.com/su-911.htm > > <A HREF="http://www.nipc.gov/nipc/nipcaaw.htm">Click here: Advisories, > Alerts, and Warnings</A> > or: http://www.nipc.gov/nipc/nipcaaw.htm > > Heidi Page > ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ > No hoax. This comes "straight from the horses mouth" so please be > aware..read on. > > > 02 April 2000 > > NOTE TO ALL: > The following message is a very serious virus alert. Please circulate it to > your email correspondents. The FBI has just advised of the existence of a > newly identified 911 virus which, if it infects your computer, will dial 911 > and then erase your hard drive. You WON'T get this virus as an email > attachment. Unfortunately this one can simply be planted on your computer if > you currently have it set up to share files or printers, which is a common > setup for many computers. To be infected you only need to be connected to > the Internet. While you are connected to your Internet Service Provider a > remote malicious scanner could probe your computer for entry into any one of > its 65,535 TCP-IP ports and then silently load the virus onto your hard > drive once the remote scanner has found your computer to be vulnerable. > Strictly speaking this is a "worm" more than a "virus" since worms propagate > and reproduce themselves without any sort of user involvement or action, > whereas a virus requires some inadvertent action on the part of the user. > This new worm's payload triggers on the 19th of the month and deletes files > from crucial Windows system directories. (You want to be very sure that your > system is not infected with it at that time!) For information on detection > and removal of this new threat: CLICK on the web site below: > http://grc.com/su-911.htm > > Symantec has a thorough technical analysis of this new worm virus at: > http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html > > I read the information contained in this message below and checked it out as > thoroughly as I could. It appears to be genuine in its entirety. The same > information is available on the FBI web page also indicated below. The > technical information in this message tells you how to protect your hard > drive from being erased if you are attacked by this most serious of internet > spread viruses (or worms) seen to date. I'm familiar with the authors who > prepared the message below and know them to be some of the best in the > anti-virus business. You will do all of your friends a great service by > forwarding this message to them immediately. This warning comes from a new > federal government center known as the "National Infrastructure Protection > Center" located at FBI headquarters. More details on the malicious 911 virus > are given below. If you have Norton antiviral software you should download > the new virus signature lists immediately. > ----------------------------------- > Current FBI Advisories, Alerts and Warnings from NIPC > http://www.fbi.gov/nipc/nipcaaw.htm > > ------W A R N I N G N O T I C E-------- > > NIPC Information System Advisory 00-038: > SELF PROPAGATING 911 SCRIPT > (Issued at 8:00 a.m. EST, 04/01/2000) > > At 8:00 am on Saturday, April 1 (This is NOT an April Fool's joke!) > the FBI announced it had discovered malicious code erasing data on > hard drives and dialing 911. This is a vicious virus and needs to > be stopped quickly. This can only be done through wide-scale > individual action. Please forward this note to everyone you know > who might be affected. > > The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm > > The 911 virus is the first "Windows shares virus." Unlike recent > viruses that propagate though eMail, the 911 virus silently jumps > directly from machine to machine across the Internet by scanning > for, and exploiting, open Windows shares. After successfully > reproducing itself in other Internet-connected machines > (to assure its continued survival) it uses the machine's modem to > dial 911 and erases the local machine's hard drive. The virus is > operational; victims are already reporting wiped-out hard drives. > The virus was launched through AOL, AT&T, MCI, and NetZero in the > Houston area. The investigation points to relatively limited > distribution so far, but there are no walls in the Internet. > > Other FBI computer related protection links > http://www.fbi.gov/nipc/inthenews.htm > http://www.fbi.gov/nipc/links.htm > > ----------------- > Action 1: Defense against the current 911 virus > ----------------- > > Verify that your system and those of all your coworkers, friends, and > associates are not vulnerable by verifying that file sharing is > turned off. > > * On a Windows 95/98 system, system-wide file sharing is managed by > selecting My Computer, Control Panel, Networks, and clicking on the > File and Print Sharing button. For folder-by-folder controls, you > can use Windows Explorer (Start, Programs, Windows Explorer) and > highlight a primary folder such as My Documents and then right mouse > click and select properties. There you will find a tab for sharing. > > * On a Windows NT, check Control Panel, Server, Shares. > > For an excellent way to instantly check system vulnerability, and for > detailed assistance in managing Windows file sharing, see: Shields > Up! A free service from Gibson Research (http://grc.com/) > > ------------------- > Action 2: Forensics > ------------------- > > If you find that you did have file sharing turned on, search your > hard drive for hidden directories named "chode", "foreskin", or > "dickhair" (we apologize for the indiscretion - but those are the > real directory names). These are HIDDEN directories, so you must > configure the Find command to show hidden directories. Under the > Windows Explorer menu choose View/Options: "Show All Files". > > If you find those directories: remove them. > > And, if you find them, and want help from law enforcement, call the > FBI National Infrastructure Protection Center (NIPC) Watch Office > at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary > job of getting data out early on this virus and deserves both kudos > and cooperation. > > You can help the whole community by letting both the FBI and > SANS (intrusion@sans.org) know if you've been hit, so we can > monitor the spread of this virus. > > > -------------- > Moving Forward > -------------- > > The virus detection companies received a copy of the code for the > 911 Virus early this morning, so keep your virus signature files > up-to-date. > > We'll post new information at www.sans.org as it becomes available. > > Prepared by: > Alan Paller, Research Director, The SANS Institute > Steve Gibson, President, Gibson Research Corporation > Stephen Northcutt, Director, Global Incident Analysis Center >