[Fair use for education and research purpose only]
Note: Update to post by Carl Jenkins http://greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002tN3
Title: New 911 Worm on the Loose
Virus spreads by searching Internet for vulnerable machines
MSNBC
April 3 � A new type of �worm� capable of wiping out computer hard drives and launching �denial-of-service� attacks on 911 emergency services was not reported to be causing widespread problems on Monday. But computer security experts warned that it could have serious consequences if it was not quickly contained.
------------
�This is a vicious virus and needs to be stopped quickly.�
� SANS INSTITUTE ADVISORY
THE WORM � variously described as the �BAT.Chode.Worm,� the �Firkin worm� or the �911 virus� � was first reported Saturday by the FBI�s National Infrastructure Protection Center. It said it was first detected in the Houston area.
It said the worm � the term for a self-replicating piece of malicious code � searches the Internet for computer systems set up for file and print sharing, copies itself onto those systems, overwrites the hard drive and causes the newly infected computer systems to dial 911 if a modem is present.
The SANS Institute, which tracks computer security issues, reported that the worm is the first �Windows shares virus,� meaning it jumps directly from machine to machine across the Internet rather than spreading itself via e-mail. It also said that some victims had reported that their hard drives had been wiped out, though it did not say how many reports had been received.
�A VICIOUS VIRUS'
�This is a vicious virus and needs to be stopped quickly,� the institute warned in an e-mail alert to its subscribers.
Symantec�s Antivirus Research Center and F-Secure Corp., a computer security firm, reported that the worm was searching the Internet for accessible computers with a shared C drive that is not password protected.
Once a drive shared for full access (reading and writing) is located, the worm looks for a Windows directory on that drive and installs itself there, F-Secure reported. The worm then creates a new folder in �Program Files� directory, copies its files there and adds a PIF file to the Windows startup folder to be activated on remote a computer on its next startup.
The worm then either formats hard drives or dials �911� using a modem if it is installed on COM1-COM4 ports. One of the worm�s versions sends dial commands to all these ports regardless of modem presence in an infected system.
F-Secure said that three variants of the worm had been detected.
Symantec said the worm was trolling the subnets of several Internet service providers, including ATT Worldnet, BellSouth Net, Level3 Net, America Online, Mindspring, Earthlink, PSInet and Air.Internet in Canada.
NO DISRUPTION OF 911 SERVICES
Mark Adams, executive director of the National Emergency Number Association, said Monday morning that the virus did not appear to have created havoc with emergency services around the United States.
�When things like this happen, we typically do get notifications when we come in on Mondays,� he said. �So far we haven�t gotten anything."
Both F-Secure and the Symantec AntiVirus Research Center published �cures� for the worm on their Web sites.
Gibson Research Corp. also posted instructions on how to tell if your system has been infected.
http://www.msnbc.com/news/390119.asp#BODY
====================
-- (Dee360Degree@aol.com), April 03, 2000
More on the WORM.
New virus can wipe out hard drives
By CNET News.com Staff
April 2, 2000, 10:05 a.m. PT
An ongoing FBI case has revealed a computer virus that can erase hard
drives and dial 911 emergency systems, according to a warning posted
on the Web this weekend.
So far, reports of the virus are limited to the Houston, Texas, area
and involve four Internet service providers--America Online, MCI
WorldCom, AT&T and NetZero--according to the posting by the National
Infrastructure Protection Center (NIPC).
The virus causes "victim systems to dial 911, possibly causing
emergency authorities to check out substantial numbers of 'false
positive' calls," according to yesterday�s posting.
The so-called self-propagating script also can "overwrite victim hard
drives," according to the NIPC.
The FBI and NIPC are continuing to investigate the virus. The NIPC
brings together representatives from the FBI, other government
agencies and the private sector to protect the nation's computer
networks.
FBI and NIPC representatives could not be reached for comment
http://news.cnet.com/news/0-1005-200-1623077.html?
tag=st.ne.1002.bgif.1005-200-1623077
-- Martin Thompson (mthom1927@aol.com), April 03, 2000.