UPDATE...New 911 Worm on the Loose

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

[Fair use for education and research purpose only]

Note: Update to post by Carl Jenkins http://greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002tN3 Title: New 911 Worm on the Loose Virus spreads by searching Internet for vulnerable machines MSNBC April 3  A new type of worm capable of wiping out computer hard drives and launching denial-of-service attacks on 911 emergency services was not reported to be causing widespread problems on Monday. But computer security experts warned that it could have serious consequences if it was not quickly contained. ------------

This is a vicious virus and needs to be stopped quickly.


THE WORM  variously described as the BAT.Chode.Worm, the Firkin worm or the 911 virus  was first reported Saturday by the FBIs National Infrastructure Protection Center. It said it was first detected in the Houston area.

It said the worm  the term for a self-replicating piece of malicious code  searches the Internet for computer systems set up for file and print sharing, copies itself onto those systems, overwrites the hard drive and causes the newly infected computer systems to dial 911 if a modem is present. The SANS Institute, which tracks computer security issues, reported that the worm is the first Windows shares virus, meaning it jumps directly from machine to machine across the Internet rather than spreading itself via e-mail. It also said that some victims had reported that their hard drives had been wiped out, though it did not say how many reports had been received.


This is a vicious virus and needs to be stopped quickly, the institute warned in an e-mail alert to its subscribers. Symantecs Antivirus Research Center and F-Secure Corp., a computer security firm, reported that the worm was searching the Internet for accessible computers with a shared C drive that is not password protected.

Once a drive shared for full access (reading and writing) is located, the worm looks for a Windows directory on that drive and installs itself there, F-Secure reported. The worm then creates a new folder in Program Files directory, copies its files there and adds a PIF file to the Windows startup folder to be activated on remote a computer on its next startup. The worm then either formats hard drives or dials 911 using a modem if it is installed on COM1-COM4 ports. One of the worms versions sends dial commands to all these ports regardless of modem presence in an infected system.

F-Secure said that three variants of the worm had been detected.

Symantec said the worm was trolling the subnets of several Internet service providers, including ATT Worldnet, BellSouth Net, Level3 Net, America Online, Mindspring, Earthlink, PSInet and Air.Internet in Canada.


Mark Adams, executive director of the National Emergency Number Association, said Monday morning that the virus did not appear to have created havoc with emergency services around the United States.

When things like this happen, we typically do get notifications when we come in on Mondays, he said. So far we havent gotten anything."

Both F-Secure and the Symantec AntiVirus Research Center published cures for the worm on their Web sites.

Gibson Research Corp. also posted instructions on how to tell if your system has been infected. http://www.msnbc.com/news/390119.asp#BODY


-- (Dee360Degree@aol.com), April 03, 2000


More on the WORM.

New virus can wipe out hard drives By CNET News.com Staff April 2, 2000, 10:05 a.m. PT An ongoing FBI case has revealed a computer virus that can erase hard drives and dial 911 emergency systems, according to a warning posted on the Web this weekend.

So far, reports of the virus are limited to the Houston, Texas, area and involve four Internet service providers--America Online, MCI WorldCom, AT&T and NetZero--according to the posting by the National Infrastructure Protection Center (NIPC). The virus causes "victim systems to dial 911, possibly causing emergency authorities to check out substantial numbers of 'false positive' calls," according to yesterdays posting.

The so-called self-propagating script also can "overwrite victim hard drives," according to the NIPC.

The FBI and NIPC are continuing to investigate the virus. The NIPC brings together representatives from the FBI, other government agencies and the private sector to protect the nation's computer networks.

FBI and NIPC representatives could not be reached for comment

http://news.cnet.com/news/0-1005-200-1623077.html? tag=st.ne.1002.bgif.1005-200-1623077

-- Martin Thompson (mthom1927@aol.com), April 03, 2000.

Moderation questions? read the FAQ