An electronic newsletter is circulating which includes a warning
about the BAT/911 virus family (aka Chode, Firkin and
Foreskin).
This newsletter has all the hallmarks of a hoax, in particular
excitable language and exhortations to "forward this note to
everyone who you know". However, it is not a hoax and these
are real viruses.
Please visit the following pages for more information:
Text of the newsletter reads as follows:
R U S H - K I L L E R V I R U S A L E R T!
Hi Everybody, I received this from a very reliable source
(SANS) when 25% of the newsletter had been sent. I decided to
interrupt the job, and resend it. I hope it arrives early enough
for you.
R U S H - K I L L E R V I R U S A L E R T!
At 8:00 am on Saturday, April 1 (This is not an April Fool's
joke!) the FBI announced it had discovered malicious code wiping
out the data on hard drives and dialing 911. This is a vicious
virus and needs to be stopped quickly. That can only be done
through wide-scale individual action. Please forward this note to
everyone who you know who might be affected.
The FBI Advisory is posted at
http://www.nipc.gov/nipc/advis00-038.htm
The 911 virus is the first "Windows shares virus." Unlike
recent viruses that propagate though eMail, the 911 virus silently
jumps directly from machine to machine across the Internet by
scanning for, and exploiting, open Windows shares. After
successfully reproducing itself in other Internet-connected
machines (to assure its continued survival) it uses the machine's
modem to dial 911 and erases the local machine's hard drive. The
virus is operational; victims are already reporting wiped-out hard
drives. The virus was launched through AOL, AT&T, MCI, and
NetZero in the Houston area. The investigation points to relatively
limited distribution so far, but there are no walls in the
Internet.
-----------------
Action 1: Defense
-----------------
Verify that your system and those of all your coworkers, friends,
and associates are not vulnerable by verifying that file sharing is
turned off.
* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button. For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right
mouse click and select properties. There you will find a tab for
sharing.
* On a Windows NT, check Control Panel, Server, Shares.
For an excellent way to instantly check system vulnerability, and
for detailed assistance in managing Windows file sharing, see:
Shields Up! A free service from Gibson Research
(http://grc.com/)
-------------------
Action 2: Forensics
-------------------
If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files". If you
find those directories: remove them. And, if you find them, and
want help from law enforcement, call the FBI National
Infrastructure Protection Center (NIPC) Watch Office at
202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job
of getting data out early on this virus and deserves both kudos and
cooperation. You can help the whole community by letting both the
FBI and SANS (intrusion@sans.org) know if you've been hit, so we
can monitor the spread of this virus.
--------------
Moving Forward
--------------
The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files
up-to-date. We'll post new information at www.sans.org as it
becomes available.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.