SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT

1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL ANALYSIS CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING CHARACTERISTICS:

A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS.

B. OVERWRITE VICTIM HARD DRIVES.

C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY AUTHORITIES TO CHECK OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS).

2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH FOUR INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO). DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED CHODE, FORESKIN OR DICKHAIR. FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES.

3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT 202-323-3204/3205/3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION ABOUT THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH THE CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE (www.nipc.gov), AS APPROPRIATE. http://www.nipc.gov/nipc/advis00-038.htm

-- Carl Jenkins (Somewherepress@aol.com), April 02, 2000

Answers

More on same story: [Tech-VIRUS ALERT]

FBI: Malicious 911 Virus Wipes Out Hard Drives

From: The SANS Institute Research Office Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users

At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) the FBI announced it had discovered malicious code wiping out the data on hard drives and dialing 911. This is a vicious virus and needs to be stopped quickly. That can only be done through wide-scale individual action. Please forward this note to everyone who you know who might be affected.

The FBI Advisory is posted at www.nipc.gov/nipc/advis00-038.htm

The 911 virus is the first "Windows shares virus." Unlike recent viruses that propagate though eMail, the 911 virus silently jumps directly from machine to machine across the Internet by scanning for, and exploiting, open Windows shares. After successfully reproducing itself in other Internet-connected machines (to assure its continued survival) it uses the machine's modem to dial 911 and erases the local machine's hard drive. The virus is operational; victims are already reporting wiped-out hard drives.

The virus was launched through AOL, AT&T, MCI, and NetZero in the Houston area. The investigation points to relatively limited distribution so far, but there are no walls in the Internet.

----------------- Action 1: Defense -----------------

Verify that your system and those of all your coworkers, friends, and associates are not vulnerable by verifying that file sharing is turned off.

* On a Windows 95/98 system, system-wide file sharing is managed by selecting My Computer, Control Panel, Networks, and clicking on the File and Print Sharing button. For folder-by-folder controls, you can use Windows Explorer (Start, Programs, Windows Explorer) and highlight a primary folder such as My Documents and then right mouse click and select properties. There you will find a tab for sharing.

* On a Windows NT, check Control Panel, Server, Shares.

For an excellent way to instantly check system vulnerability, and for detailed assistance in managing Windows file sharing, see: Shields Up! A free service from Gibson Research (grc.com/)

------------------- Action 2: Forensics -------------------

If you find that you did have file sharing turned on, search your hard drive for hidden directories named "chode", "foreskin", or "dickhair" (we apologize for the indiscretion - but those are the real directory names). These are HIDDEN directories, so you must configure the Find command to show hidden directories. Under the Windows Explorer menu choose View/Options: "Show All Files".

If you find those directories: remove them.

And, if you find them, and want help from law enforcement, call the FBI National Infrastructure Protection Center (NIPC) Watch Office at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job of getting data out early on this virus and deserves both kudos and cooperation.

You can help the whole community by letting both the FBI and SANS (intrusion@sans.org) know if you've been hit, so we can monitor the spread of this virus.

-------------- Moving Forward --------------

The virus detection companies received a copy of the code for the 911 Virus early this morning, so keep your virus signature files up-to- date.

We'll post new information at www.sans.org as it becomes available.

Prepared by: Alan Paller, Research Director, The SANS Institute Steve Gibson, President, Gibson Research Corporation Stephen Northcutt, Director, Global Incident Analysis Center ======== Jump to:

http://pub5.ezboard.com/fyourdontimebomb2000.showMessage? topicID=2203.topic http://pub5.ezboard.com/fyourdontimebomb2000.showMessage? topicID=2203.topic

-- Carl Jenkins (Somewherepress@aol.com), April 02, 2000.

April 3, 2000 Business News Archives No Hoax, But Did FBI Hype the 911 Worm? By Brian McWilliams

An advisory from the FBI's National Infrastructure Protection Center issued April Fool's day set off hoax alarms across the Internet. But while anti-virus software vendors Monday confirmed that the 911 Worm is the real thing, some are puzzled by the FBI's advisory and are openly questioning the severity of the worm.

Typed in all capital letters and displayed at the FBI Web site, the advisory warned of a new Internet worm that looks for Windows 95/98 systems that have file and print sharing enabled. After infection, the worm erases the contents of the victim's hard drive and then automatically uses the computer's modem to dial up 911 emergency systems.

Vesselin Bontchev, a researcher with Frisk Software, developers of the F-PROT anti-virus software package, said Frisk and other anti- virus vendors have not seen the 911 Worm in the wild.

"Because of the alarmist language of the warning, customers are calling us and over-heating our tech support lines. The warning wasn't thought out well and is raising panic. The panic will cause more damage than the actual virus," said Bontchev, who noted that previous viruses have dialed 911 or deleted data and haven't merited FBI warnings.

Frisk considers the 911 Worm a low risk because it has little chance of rapid spread and is implemented primarily by DOS batch files, according to Bontchev. That also was the assessment by the International Computer Security Association, which put out an advisory on the worm Monday.

"We think the risk of getting nailed by this particular thing is pretty low, but the concept of the threat represents something important. People should either turn off sharing, or at least modify it to include passwords," said Roger Thompson, a malicious code expert with ICSA, in an e-mail to InternetNews.

Network Associates, developers of the popular VirusScan product, have categorized as "low risk" what they are terming the W95/Firkin.worm.

In an e-mail to InternetNews, Jimmy Kuo, director of anti-virus research for NAI, revealed that one of the company's customers reported the worm last week, and NAI quickly added detection for it to VirusScan. But Kuo said the anti-virus vendor is puzzled by the FBI's reaction. "Our position is that we don't understand why they did their press release. April 1, no less," said Kuo.

Debra Weierman, a spokesperson for the NIPC, declined to provide more details about the worm, saying the Bureau is involved in an ongoing investigation.

However, the Sans Institute, a cooperative of security professionals and system administrators, Monday released an updated bulletin saying that victims in Houston and San Francisco have reported having their hard drives wiped out by the worm.

According to Allen Paller, Sans research director, "This isn't a toy. Blaming other people for getting the word out seems a silly thing to do."

http://www.internetnews.com/bus-news/article/0,2171,3_333101,00.html

-- Martin Thompson (mthom1927@aol.com), April 04, 2000.