Symantec web site also has a write up about this worm in detail. Again, this
appears authentic. Check out the Symantec info updated March 31,2000 at:
http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html
----- Original Message -----
From: Igor Gashinsky <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; Curt <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Saturday, April 01, 2000 11:24 PM
Subject: RE: Does anyone know if this is a Joke
> I could be wrong, but it looks authentic to me. I recieved this message,
> and it included my SANS ID, and it matched my ID from the previous
e-mails.
> I am not saying that somebody couldn't have sniffed all the ID's from
> previous SANS mailings and send this one out, but I think that would be
way
> too much effort for a hoax. Additionally, the NIPC site deffinately adds
> credibility.
>
> On the other hand if SANS and NIPC decided to play a hoax on us, that is
> possible, but I doubt that they would be willing to undermine their
> credibility like that.
>
> -Igor Gashinsky
>
> At 11:05 PM 4/1/00 -0500, Micheal Espinola Jr wrote:
> >This has been broadcasted from several channels since "seemingly"
> >originating from SANS. I say "seemingly" because SANS has yet to put a
> >posting on their website yet.
> >
> >The email-headers from SANS look official, and the NIPC website
definitely
> >adds credibility - but I have yet to see any information on any Antiviral
> >websites yet.
> >
> >I am withholding my opinions on this until I see more corroboration.
> >
> >| -----Original Message-----
> >| From: [EMAIL PROTECTED]
> >| [mailto:[EMAIL PROTECTED]]On Behalf Of Curt
> >| Sent: Saturday, April 01, 2000 8:35 PM
> >| To: [EMAIL PROTECTED]
> >| Subject: Does anyone know if this is a Joke
> >|
> >|
> >| I realize that it is April 1, but when I think of comedians I do
> >| not think
> >| of the FBI (NIPC).
> >|
> >| From: The SANS Institute Research Office
> >| Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users
> >|
> >| At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
> >| the FBI announced it had discovered malicious code wiping out the data
on
> >| hard drives and dialing 911. This is a vicious virus and needs to
> >| be stopped quickly. That can only be done through wide-scale
> >| individual action. Please forward this note to everyone who you
> >| know who might be affected.
> >|
> >| The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
> >|
> >| The 911 virus is the first "Windows shares virus." Unlike recent
> >| viruses that propagate though eMail, the 911 virus silently jumps
> >| directly from machine to machine across the Internet by scanning
> >| for, and exploiting, open Windows shares. After successfully
> >| reproducing itself in other Internet-connected machines
> >| (to assure its continued survival) it uses the machine's modem to
> >| dial 911 and erases the local machine's hard drive. The virus is
> >| operational; victims are already reporting wiped-out hard drives.
> >| The virus was launched through AOL, AT&T, MCI, and NetZero in the
> >| Houston area. The investigation points to relatively limited
> >| distribution so far, but there are no walls in the Internet.
> >|
> >| -----------------
> >| Action 1: Defense
> >| -----------------
> >|
> >| Verify that your system and those of all your coworkers, friends, and
> >| associates are not vulnerable by verifying that file sharing is
> >| turned off.
> >|
> >| * On a Windows 95/98 system, system-wide file sharing is managed by
> >| selecting My Computer, Control Panel, Networks, and clicking on the
> >| File and Print Sharing button. For folder-by-folder controls, you
> >| can use Windows Explorer (Start, Programs, Windows Explorer) and
> >| highlight a primary folder such as My Documents and then right mouse
> >| click and select properties. There you will find a tab for sharing.
> >|
> >| * On a Windows NT, check Control Panel, Server, Shares.
> >|
> >| For an excellent way to instantly check system vulnerability, and for
> >| detailed assistance in managing Windows file sharing, see: Shields
> >| Up! A free service from Gibson Research (http://grc.com/)
> >|
> >| -------------------
> >| Action 2: Forensics
> >| -------------------
> >|
> >| If you find that you did have file sharing turned on, search your
> >| hard drive for hidden directories named "chode", "foreskin", or
> >| "dickhair" (we apologize for the indiscretion - but those are the
> >| real directory names). These are HIDDEN directories, so you must
> >| configure the Find command to show hidden directories. Under the
> >| Windows Explorer menu choose View/Options: "Show All Files".
> >|
> >| If you find those directories: remove them.
> >|
> >| And, if you find them, and want help from law enforcement, call the
> >| FBI National Infrastructure Protection Center (NIPC) Watch Office
> >| at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
> >| job of getting data out early on this virus and deserves both kudos
> >| and cooperation.
> >|
> >| You can help the whole community by letting both the FBI and
> >| SANS ([EMAIL PROTECTED]) know if you've been hit, so we can
> >| monitor the spread of this virus.
> >|
> >|
> >| --------------
> >| Moving Forward
> >| --------------
> >|
> >| The virus detection companies received a copy of the code for the
> >| 911 Virus early this morning, so keep your virus signature files
> >| up-to-date.
> >|
> >| We'll post new information at www.sans.org as it becomes available.
> >|
> >| Prepared by:
> >| Alan Paller, Research Director, The SANS Institute
> >| Steve Gibson, President, Gibson Research Corporation
> >| Stephen Northcutt, Director, Global Incident Analysis Center
> >|
> >|
> >| -
> >| [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >| "unsubscribe firewalls" in the body of the message.]
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
