Computer Security Weekly, April 10, 2000


Special Emergency Edition: Call 911!

Okay, this week the big security news is the 911 virus, otherwise known as variations on BAT|W95/911|Chode|Firkin.Worm. Although the first announcement was made on April 1 this definitely does not appear to be an April Fools joke.

First, do not panic. This virus is real, and it may possibly become a problem. But it is rather simply, not to say stupidly, done, and isn't likely to be a major problem at the moment.

This virus seems to be spread via the Microsoft Windows networking "share" function. When you want to connect your machine to a local area network, you "share" a drive, folder, file, or printer. The easiest way to do this, of course, is to set everything "world readable," as we used to call it in the days when it mattered. Basically, this is what everybody seems to do. And, unfortunately, Microsoft makes it world writeable at the same time.

911 is actually only one of what is already a family. The reason for this seems to be that most of the files involved in the virus (or worm) are ordinary batch files. This makes it a cinch to make modifications and therefore new variants. (There is also our old friend, VBScript.)

The virus looks around for available machines on various subnets of the Internet. These could, of course, be changed at any time, but at the moment it means that 911 and its ilk have been somewhat geographically limited. Most of the current nets are in North America, but some have a rather extensive user base.

At any rate, the virus finds a likely host, and tries to copy a number of files to it, including some that will ensure the virus gets started at next boot time. After the infection routine has been done, the virus may display a message on the local machine, or it may format a range of hard drives. Interestingly, the current version seems to avoid deleting itself in the damage process. Specific other files may be deleted at specific times. It may also attempt to place a call to 911 through the modem. Since the infection and spread tends to be localized, a major infestation in a given area could have some serious consequences for emergency services.

At present, the virus will not infect machines which have a non-standard Windows installation. The current versions are very specific as to drives and directories. This limitation could be overcome very easily.

The best protection is to turn down the level of access to your shares, or turn sharing off. On both Windows NT and 9x, bring up the Control Panel, either through the "My Computer" icon, or under the

The copyright of the article Computer Security Weekly, April 10, 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, April 10, 2000 in print or online must be granted by the author in writing.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic