RootsWeb Mailing List Archives

RootsWeb.com Mailing Lists

Home

Results for list 'okgarfie'

Sender

Subject

Content

Total: 1/1

1. [OKGARFIE] Fw: [Cleveland-Surname] R U S H - K I L L E R V I R U S A L E R T!
2. Richie King
3. TRYING TO SPREAD THE WORD ON THIS, IT SOUNDS SERIOUS ---------- > From: Fred <freese@netins.net> > To: CLEVELAND-SURNAME-L@rootsweb.com > Subject: [Cleveland-Surname] R U S H - K I L L E R V I R U S A L E R T! > Date: Saturday, April 01, 2000 8:17 AM > > Ok folks, this is something that I don't normally do, but this one is verified > to be a particularly bad virus (trojan), so I'm warning you all at the same > time! I have verified and copied from NORTON, their outlook as well. As soon > as you read these statements, please run the test and upgrade your online > antivirus programs. If you don't have one, get one! It is listed under several > names and effects several parts of your computer and it's functions. I don't > want to see a large scale discussion on this, this is merely a warning to > protect your computers and that's all. If you aren't sure what, when or how, by > all means, contact me privately and I'll try to help as much as I can. For > those of you that would like to verify this for yourselves, by all means visit > your favorite ant-virus site. > I have copied Norton's statement at the end of the alert. > Thank you for your time in this matter. > Fred > > > R U S H - K I L L E R V I R U S A L E R T! > > > > At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) > > the FBI announced it had discovered malicious code wiping out the data > > on hard drives and dialing 911. This is a vicious virus and needs to > > be stopped quickly. That can only be done through wide-scale individual > > action. Please forward this note to everyone who you know who might > > be affected. > > > > The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm > > > > The 911 virus is the first "Windows shares virus." Unlike recent > > viruses that propagate though eMail, the 911 virus silently jumps > > directly from machine to machine across the Internet by scanning > > for, and exploiting, open Windows shares. After successfully > > reproducing itself in other Internet-connected machines > > (to assure its continued survival) it uses the machine's modem to > > dial 911 and erases the local machine's hard drive. The virus is > > operational; victims are already reporting wiped-out hard drives. > > The virus was launched through AOL, AT&T, MCI, and NetZero in the > > Houston area. The investigation points to relatively limited > > distribution so far, but there are no walls in the Internet. > > > > ----------------- > > Action 1: Defense > > ----------------- > > Verify that your system and those of all your coworkers, friends, and > > associates are not vulnerable by verifying that file sharing is > > turned off. > > > > * On a Windows 95/98 system, system-wide file sharing is managed by > > selecting My Computer, Control Panel, Networks, and clicking on the > > File and Print Sharing button. For folder-by-folder controls, you > > can use Windows Explorer (Start, Programs, Windows Explorer) and > > highlight a primary folder such as My Documents and then right mouse > > click and select properties. There you will find a tab for sharing. > > > > * On a Windows NT, check Control Panel, Server, Shares. > > > > For an excellent way to instantly check system vulnerability, and for > > detailed assistance in managing Windows file sharing, see: Shields > > Up! A free service from Gibson Research (http://grc.com/) > > > > ------------------- > > Action 2: Forensics > > ------------------- > > If you find that you did have file sharing turned on, search your > > hard drive for hidden directories named "chode", "foreskin", or > > "dickhair" (we apologize for the indiscretion - but those are the > > real directory names). These are HIDDEN directories, so you must > > configure the Find command to show hidden directories. Under the > > Windows Explorer menu choose View/Options: "Show All Files". > > > > If you find those directories: remove them. > > > > And, if you find them, and want help from law enforcement, call the > > FBI National Infrastructure Protection Center (NIPC) Watch Office > > at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary > > job of getting data out early on this virus and deserves both kudos > > and cooperation. > > > > You can help the whole community by letting both the FBI and > > SANS (intrusion@sans.org) know if you've been hit, so we can > > monitor the spread of this virus. > > > > -------------- > > Moving Forward > > -------------- > > The virus detection companies received a copy of the code for the > > 911 Virus early this morning, so keep your virus signature files > > up-to-date. We'll post new information at www.sans.org as it > > becomes available. > > > > Prepared by: > > Alan Paller, Research Director, The SANS Institute > > Steve Gibson, President, Gibson Research Corporation > > Stephen Northcutt, Director, Global Incident Analysis Center > > SYMANTEC > Advanced Search > > AntiVirus Research Center > Download Updates > Virus Encyclopedia > Virus Hoaxes > Reference Area > Submit Virus Samples > > � 1995-2000 Symantec Corporation > All rights reserved. > Legal Notices > Privacy Policy BAT.Chode.Worm > > Detected as: BAT.Chode.Worm > Aliases: Chode, Foreskin, BAT911 > Infection Length: Multiple batch files > Area of Infection: Shared drive > Trigger Dates: 19th of the month > Characteristics: Worm, Batch > > > Description > > BAT.Chode.Worm is an internet-worm that uses BAT files. It searches through a > range of IP addresses of known ISPs to find an accessible computer. If an > accessible computer has its C drive shared, it will copy its files into the > other computer. > > Technical Description > > BAT.Chode.Worm uses multiple BAT files and some system programs to spread itself > through an internet connection. It searches through a range of IP addresses of > known ISPs to find an accessible computer. If an accessible computer has a > shared drive that is not password protected, the worm checks for the presence of > the file C:\WINDOWS\WIN.COM. If such file presents, it assumes the shared drive > is the C drive of the other computer. It will then copy its files into the other > computer's C:\PROGRA~1\CHODE directory. > > The main batch file assumes it is running from C:\PROGRA~1\CHODE directory. When > launched, it searches for an accessible subnet on several ISPs: > > att.net (ATT Worldnet) > bellsouth.net (BellSouth Net) > level3.net (Level3 Net) > aol.com (America Online) > mindspring.com (Mindspring) > earthlink.net (Earthlink) > air.on.ca (Air.Internet in Canada) > psi.net (PSInet) > Once the worm finds an accessible subnet, it will search for an accessible > shared drive. If there is no accessible shared drive in the subnet, it will > repeat the subnet search above. > > Once the worm finds an accessible shared drive, it will do a quick test to see > if the drive is the C drive. If it is the C drive, it will map the shared drive. > > After mapping the drive, it makes sure that it hasn't infected this mapped > drive. While performing the check, it also searches and removes VBS.Network, a > worm that uses VBS script. Then, it verifies the writability of the drive, and > proceeds to copy its files to the other computer. > > While copying its files to the other computer, it adds the following: > > a call to a batch file that dials 911 using the computer modem into the > C:\AUTOEXEC.BAT. This modification is done one out of five times. > ashield.pif into the Program-StartUp of the infected machine. This PIF file > hides the worm when it is launched. > netstat.pif into the Program-StartUp of the infected machine. This PIF file > hides the netstat utility that it uses. > winsock.vbs into the Program-StartUp of the infected machine. This VBS carries > its payload. > Log the infection in the file C:\PROGRAM FILES\chode\chode.txt of the source > computer. > The worm also uses a freeware utility to hide its activity. The freeware utility > is a win32 program that the worm names ASHIELD.EXE. NAV will not detect this > utility. > > Payload > > The WINSOCK.VBS is lauched when Windows starts on an infected computer. On the > 19th of the month, this VBS script deletes files from the following directories: > > C:\windows > C:\windows\system > C:\windows\command > C:\ > Then, it displays two message boxes: > > You Have Been Infected By Chode > You may now turn this piece of shit off! > > Repair Notes > > Delete the C:\Program Files\Chode directory. > Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF > Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF > Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS > > > > > > > > ==== CLEVELAND-SURNAME Mailing List ==== > Fred W. Reese freese@netins.net > Listowner of CLEVELAND-SURNAME list > Rootsweb Donor
04/02/2000 09:11:08