Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today (fwd)
- Per the message sent by The SANS Institute:
From fc Sat Apr 1 13:29:14 2000
Received: from 220.127.116.11
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Sat, 01 Apr 2000 13:29:14 -0800 (PST)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Sat Apr 1 21:29:08 2000)
X-From_: sans@... Sat Apr 1 15:28:34 2000
Received: from server1.SANS.ORG (server1.sans.org [18.104.22.168]) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id PAA02937 for <fc@...>; Sat, 1 Apr 2000 15:28:34 -0600
Received: by server1.SANS.ORG (rbkq) id QDO73117
for fc@...; Sat, 1 Apr 2000 14:28:16 -0700 (MST)
Date: Sat, 1 Apr 2000 14:28:16 -0700 (MST)
From: The SANS Institute <sans@...>
Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today
To: Fred Cohen (SD308262) <fc@...>
To: Fred Cohen (SD308262)
From: The SANS Institute Research Office
Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users
At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
the FBI announced it had discovered malicious code wiping out the data on
hard drives and dialing 911. This is a vicious virus and needs to
be stopped quickly. That can only be done through wide-scale
individual action. Please forward this note to everyone who you
know who might be affected.
The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
The 911 virus is the first "Windows shares virus." Unlike recent
viruses that propagate though eMail, the 911 virus silently jumps
directly from machine to machine across the Internet by scanning
for, and exploiting, open Windows shares. After successfully
reproducing itself in other Internet-connected machines
(to assure its continued survival) it uses the machine's modem to
dial 911 and erases the local machine's hard drive. The virus is
operational; victims are already reporting wiped-out hard drives.
The virus was launched through AOL, AT&T, MCI, and NetZero in the
Houston area. The investigation points to relatively limited
distribution so far, but there are no walls in the Internet.
Action 1: Defense
Verify that your system and those of all your coworkers, friends, and
associates are not vulnerable by verifying that file sharing is
* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button. For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right mouse
click and select properties. There you will find a tab for sharing.
* On a Windows NT, check Control Panel, Server, Shares.
For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields
Up! A free service from Gibson Research (http://grc.com/)
Action 2: Forensics
If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files".
If you find those directories: remove them.
And, if you find them, and want help from law enforcement, call the
FBI National Infrastructure Protection Center (NIPC) Watch Office
at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
job of getting data out early on this virus and deserves both kudos
You can help the whole community by letting both the FBI and
SANS (intrusion@...) know if you've been hit, so we can
monitor the spread of this virus.
The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files
We'll post new information at www.sans.org as it becomes available.
Alan Paller, Research Director, The SANS Institute
Steve Gibson, President, Gibson Research Corporation
Stephen Northcutt, Director, Global Incident Analysis Center
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: http://all.net - fc@... - tel/fax:925-454-0171
Fred Cohen - Practitioner in Residence - The University of New Haven
Have a great day!!!
[This communication is confidential to the parties to which it is sent.
If you get this email in error, please delete it immediately and do not
use, repost, reprint, or view the contents. This message and all
messages to or from the sender of this message is recorded and reading
this message or sending email to its sender constitutes consent for such
Per the official policy of Sandia National Laboratories, the reader should be
- Fred Cohen of Fred Cohen & Associates is the same Fred Cohen who is a
Principal Member of Technical Staff at Sandia National Laboratories.
- Fred Cohen & Associates - is owned and operated by Fred Cohen and is
separate and independent from the work done by Fred Cohen at Sandia