Return to index: [Subject] [Thread] [Date] [Author]

911 or Bat/Firkin Virus

[Subject Prev][Subject Next][Thread Prev][Thread Next]
This is neither a hoax nor another April Fools prank!  Your computer needs
immediate protection! 

>From what I have read, the 911 or Bat/Firkin virus is brand new and really
nasty.  If you have "sharing" enabled on your computer (that is the
Microsoft Windows default), it can wipe out your C drive if you are
connected to the Internet, even if you don't open your email or take any
other action.  It first struck in Houston earlier this week on AOL and
several other servers.  If you use antivirus software, you need to update
your virus signature file to a version dated 4/2/00 or newer for protection
from this new threat.  If you are unprotected, I recommend the totally free
and wonderful Computer Associates' InoculateIT Personal Edition 5.1.  It can
be downloaded (3.13MB) at:

http://www.antivirus.cai.com  

Also, you should immediately disable "sharing" on your Windows computer.  To
do this in Windows98, Double-click on the Network icon in Control Panel,
click on the Configuration tab, click on the File and Print Sharing button,
and then un-check both of the "I want to ..." boxes.  

If you want additional information, here is what the experts say about the
911 or Bat/Firkin virus:

The NIPC (U.S. National Infrastructure Protection Center - formed by the
FBI) issued an advisory on the weekend concerning a family of batch worms
that can propagate through Windows networks, erase hard drives and dial the
911 emergency line, possibly overloading the emergency response system. The
advisory can be found at 

http://www.nipc.gov/nipc/advis00-038.htm

The Firkin family consists of several files and there are three family
members known right now.

Variants of the worm contain code to wait for the 19th day of a month and
then delete the following directories:

"c:\windows\*.*"

"c:\windows\system\*.*"

"c:\windows\command\*.*"

"c:\*.*"

and afterwards displays the messages:

"You Have Been Infected By Chode" 

"You may now turn this piece of shit off!"

The worm may change the Autoexec.bat file to call the emergency number 911
on each system start using an attached modem.

Additionally it contains code to ping various servers on a random basis in a
loop until an error occurs (.c variant).

The spreading function first searches for a suitable target and tries to map
the "c" drive of the attacked computer to the local drive name "j". In order
to propagate the worm has to find a writeable C share, that is not protected
by a password. Computer Associates recommends not to share any drives or
directories without assigning a password. During the complete spreading
process, the worm prints information about the current attacked system etc.,
which are probably just debugging remnants. These messages are kept hidden
from the user.

If the attacked system does not have special files or directories (e.g. the
.c version is looking for the file "c:\windows\win.com") the worm quits the
replication process.

The worm checks for signs of infections from other worms or family members
and performs dependent operations.

If all spreading conditions are fulfilled, then the virus copies itself
using the ordinary copy operation.

Additionally some variants overwrite with a random chance the "autoexec.bat"
(e.g. 1/6 based on a random value for the .c version) file and insert code,
which formats besides some other operations, the following hard drives:

C, D, E, F, G, H

I hope that the above information helps all of you to avoid this potential
catastrophe.

Best Regards,

Stan R. Caldwell, P.E.
Well-Protected in Dallas