fc Sat Apr 1 13:29:14 2000 Received: from 207.222.214.225 by localhost with POP3 (fetchmail-5.1.0) for fc@l... (single-drop); Sat, 01 Apr 2000 13:29:14 -0800 (PST) Received: by multi33.netcomi.com for fc (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Sat Apr 1 21:29:08 2000) X-From_: sans@s... Sat Apr 1 15:28:34 2000 Received: from server1.SANS.ORG (server1.sans.org [167.216.133.33]) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id PAA02937 for fc@a...; Sat, 1 Apr 2000 15:28:34 -0600 Received: by server1.SANS.ORG (rbkq) id QDO73117 for fc@a...; Sat, 1 Apr 2000 14:28:16 -0700 (MST) Date: Sat, 1 Apr 2000 14:28:16 -0700 (MST) Message-Id: 2000040125229.QDO73117@s... From: The SANS Institute sans@s... Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today Precedence: bulk Errors-To: bounce@s... To: Fred Cohen (SD308262) fc@a...
To: Fred Cohen (SD308262)
From: The SANS Institute Research Office Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users
At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) the FBI announced it had discovered malicious code wiping out the data on hard drives and dialing 911. This is a vicious virus and needs to be stopped quickly. That can only be done through wide-scale individual action. Please forward this note to everyone who you know who might be affected.
The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
The 911 virus is the first "Windows shares virus." Unlike recent viruses that propagate though eMail, the 911 virus silently jumps directly from machine to machine across the Internet by scanning for, and exploiting, open Windows shares. After successfully reproducing itself in other Internet-connected machines (to assure its continued survival) it uses the machine's modem to dial 911 and erases the local machine's hard drive. The virus is operational; victims are already reporting wiped-out hard drives. The virus was launched through AOL, AT&T, MCI, and NetZero in the Houston area. The investigation points to relatively limited distribution so far, but there are no walls in the Internet.
-----------------
Action 1: Defense
Verify that your system and those of all your coworkers, friends, and associates are not vulnerable by verifying that file sharing is turned off.
* On a Windows 95/98 system, system-wide file sharing is managed by selecting My Computer, Control Panel, Networks, and clicking on the File and Print Sharing button. For folder-by-folder controls, you can use Windows Explorer (Start, Programs, Windows Explorer) and highlight a primary folder such as My Documents and then right mouse click and select properties. There you will find a tab for sharing.
* On a Windows NT, check Control Panel, Server, Shares.
For an excellent way to instantly check system vulnerability, and for detailed assistance in managing Windows file sharing, see: Shields Up! A free service from Gibson Research (http://grc.com/)
-------------------
Action 2: Forensics
If you find that you did have file sharing turned on, search your hard drive for hidden directories named "chode", "foreskin", or "dickhair" (we apologize for the indiscretion - but those are the real directory names). These are HIDDEN directories, so you must configure the Find command to show hidden directories. Under the Windows Explorer menu choose View/Options: "Show All Files".
If you find those directories: remove them.
And, if you find them, and want help from law enforcement, call the FBI National Infrastructure Protection Center (NIPC) Watch Office at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary job of getting data out early on this virus and deserves both kudos and cooperation.
You can help the whole community by letting both the FBI and SANS (intrusion@s...) know if you've been hit, so we can monitor the spread of this virus.
Moving Forward
The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files
up-to-date.
We'll post new information at www.sans.org as it becomes available.
Prepared by:
Alan Paller, Research Director, The SANS Institute Steve Gibson, President, Gibson Research Corporation Stephen Northcutt, Director, Global Incident Analysis Center
--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: http://all.net - fc@a... - tel/fax:925-454-0171
Fred Cohen - Practitioner in Residence - The University of New Haven
Have a great day!!!
[This communication is confidential to the parties to which it is sent. If you get this email in error, please delete it immediately and do not use, repost, reprint, or view the contents. This message and all messages to or from the sender of this message is recorded and reading this message or sending email to its sender constitutes consent for such recording.]
Per the official policy of Sandia National Laboratories, the reader should be
aware that:
- Fred Cohen of Fred Cohen & Associates is the same Fred Cohen who is a
Principal Member of Technical Staff at Sandia National Laboratories.
- Fred Cohen & Associates - is owned and operated by Fred Cohen and is
separate and independent from the work done by Fred Cohen at Sandia
National Laboratories.