Loading ...
Sorry, an error occurred while loading the content.

Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today (fwd)

Expand Messages
  • Fred Cohen
    Per the message sent by The SANS Institute: From fc Sat Apr 1 13:29:14 2000 Received: from by localhost with POP3 (fetchmail-5.1.0) for
    Message 1 of 1 , Apr 1, 2000
      Per the message sent by The SANS Institute:
      From fc Sat Apr 1 13:29:14 2000
      Received: from
      by localhost with POP3 (fetchmail-5.1.0)
      for fc@localhost (single-drop); Sat, 01 Apr 2000 13:29:14 -0800 (PST)
      Received: by multi33.netcomi.com for fc
      (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Sat Apr 1 21:29:08 2000)
      X-From_: sans@... Sat Apr 1 15:28:34 2000
      Received: from server1.SANS.ORG (server1.sans.org []) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id PAA02937 for <fc@...>; Sat, 1 Apr 2000 15:28:34 -0600
      Received: by server1.SANS.ORG (rbkq) id QDO73117
      for fc@...; Sat, 1 Apr 2000 14:28:16 -0700 (MST)
      Date: Sat, 1 Apr 2000 14:28:16 -0700 (MST)
      Message-Id: <2000040125229.QDO73117@...>
      From: The SANS Institute <sans@...>
      Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today
      Precedence: bulk
      Errors-To: bounce@...
      To: Fred Cohen (SD308262) <fc@...>

      To: Fred Cohen (SD308262)
      From: The SANS Institute Research Office
      Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users

      At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
      the FBI announced it had discovered malicious code wiping out the data on
      hard drives and dialing 911. This is a vicious virus and needs to
      be stopped quickly. That can only be done through wide-scale
      individual action. Please forward this note to everyone who you
      know who might be affected.

      The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm

      The 911 virus is the first "Windows shares virus." Unlike recent
      viruses that propagate though eMail, the 911 virus silently jumps
      directly from machine to machine across the Internet by scanning
      for, and exploiting, open Windows shares. After successfully
      reproducing itself in other Internet-connected machines
      (to assure its continued survival) it uses the machine's modem to
      dial 911 and erases the local machine's hard drive. The virus is
      operational; victims are already reporting wiped-out hard drives.
      The virus was launched through AOL, AT&T, MCI, and NetZero in the
      Houston area. The investigation points to relatively limited
      distribution so far, but there are no walls in the Internet.

      Action 1: Defense

      Verify that your system and those of all your coworkers, friends, and
      associates are not vulnerable by verifying that file sharing is
      turned off.

      * On a Windows 95/98 system, system-wide file sharing is managed by
      selecting My Computer, Control Panel, Networks, and clicking on the
      File and Print Sharing button. For folder-by-folder controls, you
      can use Windows Explorer (Start, Programs, Windows Explorer) and
      highlight a primary folder such as My Documents and then right mouse
      click and select properties. There you will find a tab for sharing.

      * On a Windows NT, check Control Panel, Server, Shares.

      For an excellent way to instantly check system vulnerability, and for
      detailed assistance in managing Windows file sharing, see: Shields
      Up! A free service from Gibson Research (http://grc.com/)

      Action 2: Forensics

      If you find that you did have file sharing turned on, search your
      hard drive for hidden directories named "chode", "foreskin", or
      "dickhair" (we apologize for the indiscretion - but those are the
      real directory names). These are HIDDEN directories, so you must
      configure the Find command to show hidden directories. Under the
      Windows Explorer menu choose View/Options: "Show All Files".

      If you find those directories: remove them.

      And, if you find them, and want help from law enforcement, call the
      FBI National Infrastructure Protection Center (NIPC) Watch Office
      at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
      job of getting data out early on this virus and deserves both kudos
      and cooperation.

      You can help the whole community by letting both the FBI and
      SANS (intrusion@...) know if you've been hit, so we can
      monitor the spread of this virus.

      Moving Forward

      The virus detection companies received a copy of the code for the
      911 Virus early this morning, so keep your virus signature files

      We'll post new information at www.sans.org as it becomes available.

      Prepared by:
      Alan Paller, Research Director, The SANS Institute
      Steve Gibson, President, Gibson Research Corporation
      Stephen Northcutt, Director, Global Incident Analysis Center

      Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
      Fred Cohen & Associates: http://all.net - fc@... - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
      Have a great day!!!

      [This communication is confidential to the parties to which it is sent.
      If you get this email in error, please delete it immediately and do not
      use, repost, reprint, or view the contents. This message and all
      messages to or from the sender of this message is recorded and reading
      this message or sending email to its sender constitutes consent for such

      Per the official policy of Sandia National Laboratories, the reader should be
      aware that:
      - Fred Cohen of Fred Cohen & Associates is the same Fred Cohen who is a
      Principal Member of Technical Staff at Sandia National Laboratories.
      - Fred Cohen & Associates - is owned and operated by Fred Cohen and is
      separate and independent from the work done by Fred Cohen at Sandia
      National Laboratories.
    Your message has been successfully submitted and would be delivered to recipients shortly.