I don't normally pipe up about such things, and I *certainly* don't
propagate such things normally, but... there *is* a new virus (actually a
worm), which you can get the information about at such places as Langa.com
(Fred Langa, one of the editors for Byte magazine, among others) and at the
NIPC (Nat'l Infrastructure Protection, part of the US Government).
Acting as a security officer for the U.S. Government (my day job), I am
officially asking you to *please* check the settings on your File and Print
Sharing. If it is active, *do* *not* have it binding to your Internet
connection.
Further information is available at http://www.nipc.gov/nipc/advis00-038.htm
and http://www.sans.org/newlook/alerts/911worm.htm -- the Federal Bureau of
Investigation (FBI) would, as you can see, greatly appreciate knowing if you
get hit so that they can attempt to gather enough evidence to go after the
person or persons responsible.
I am including the text of the above-referenced site for speed's sake; you
can check with NIPC yourself to validate. Our (US Dept. of Agriculture)
called them via telephone to confirm; they (NIPC and FBI) are *very* serious
about this.
---------------- http://www.nipc.gov/nipc/advis00-038.htm ----------------
SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM
ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT
1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND
DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND
DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL ANALYSIS
CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING CHARACTERISTICS:
A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND
PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS.
B. OVERWRITE VICTIM HARD DRIVES.
C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY AUTHORITIES
TO CHECK OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS).
2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY
LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH
SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH FOUR
INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO).
DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED CHODE,
FORESKIN OR DICKHAIR. FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES.
3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO
USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT
202-323-3204/3205/3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION ABOUT
THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH THE
CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE (www.nipc.gov),
AS APPROPRIATE.
----------------
http://www.sans.org/newlook/alerts/911worm.htm ----------------
At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) the FBI
announced it had discovered malicious code wiping out the data on hard
drives and dialing 911. This is a vicious worm (see note at end on worms vs.
viruses) and needs to be stopped quickly. That can only be done through
wide-scale individual action.
The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
The Symantec alert (called Bat.CHODE.worm) is posted at
http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html
The McAfee alert (called W95/Firkin.worm) is posted at
http://vil.mcafee.com/dispVirus.asp?virus_k=98557
The Global Incident Advisory Center has reports from people who have
computers that have been damaged. It is posted at www.sans.org/giac.htm.
Differences among the antivirus advisories and the GIAC data appear to imply
that there are multiple versions of this malicious code (if only because the
McAfee-quoted hacker's "got you" statement differs from the one found on an
infected computer reported to GIAC.)
The 911 Worm is one of the first to exploit "Windows shares." Unlike recent
viruses that propagate though email, the 911 Worm silently jumps directly
from machine to machine across the Internet by scanning for, and exploiting,
open Windows shares. After successfully reproducing itself in other
Internet-connected machines (to assure its continued survival), one out of
five times it uses the machine's modem to dial 911 and erases the local
machine's hard drive. The worm is operational; victims are already reporting
wiped-out hard drives. Symantec reports that the trigger date is the 19th of
the month, but variants could change that date. The worm was launched
through AOL, AT&T, and as many as seven other major ISPs.
Action 1: Defense
=================
Verify that your system and those of all our coworkers, friends, and
associates are not vulnerable by verifying that file sharing is turned off.
On a Windows 95/98 system, systemwide file sharing is managed by selecting
My Computer, Control Panel, Networks, and clicking on the File and Print
Sharing button. For folder-by-folder controls, you can use Windows Explorer
(Start, Programs, Windows Explorer) and highlight a primary folder such as
My Documents and then right mouse click and select properties. There you
will find a tab for sharing.
On a Windows NT, check Control Panel, Server, Shares.
For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields Up! A
free service at http://grc.com/
Action 2: Forensics
===================
If you find that you did have file sharing turned on, search your hard drive
for hidden directories named "chode", "foreskin", or "dickhair" (we
apologize for the indiscretion - but those are the real directory names).
These are HIDDEN directories, so you must configure the Find command to show
hidden directories. Under the Windows Explorer menu choose View/Options:
"Show All Files".
If you find those directories: remove them.
And, if you find them, and want help from law enforcement, call the FBI
National Infrastructure Protection Center (NIPC) Watch Office at
202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job of
getting data out early on this worm and deserves both kudos and
cooperation.
You can help the whole community by letting both the FBI and SANS
([EMAIL PROTECTED]) know if you've been hit, so we can monitor the spread
of this worm.
Moving Forward
==============
The virus detection companies received a copy of the code for the 911 Worm
late on the March 31, and at least Symantec's Norton AntiVirus has
signatures for the 911 Worm. Keep your virus signature files up-to-date.
Note: This malicious code is called a worm because it requires no specific
action on the part of the user to enable infection and propagation. It just
spreads. If the code required the user to open an email or load a screen
saver or take some other action, then it would be called a virus.
_______
To unsubscribe, send "unsubscribe rangernet" to [EMAIL PROTECTED]
"Eat the hay & spit out the sticks! - A#1's mule" RTKB&G4JC!
http://rangernet.org Autoresponder: [EMAIL PROTECTED]
