Warning! New Worm Dials 911
News from Houston, Texas this weekend has left the Federal Beareau of Investigation and the city's emergency response teams scrambling for answers. According to officials at the National Infrastructure Protection Center (NIPC), a new virus has been reported from four major ISPs in the area that can not only erase the hard drive of the computer it infects, but also dial the 911 emergency number and cause officers to make unwarranted visits to homes where the call is made.
According to analysis done at the NIPC, this self-propagating script named BAT.chode.worm (with the aliases Chode, Foreskin, BAT911), "actively searches the internet for computer systems set up for file and print sharing and copy itself on to these systems."
Using BAT files, it searches through a range of IPs for known ISPs to locate a computer where file sharing is enabled. After a quick test to check whether or not it is on the C drive, done by searching for the win.exe program, the worm then maps the drive and proceeds to rid the drive of the VBS.network worm if it is present. It then verifies the ability to write to the drive and copies itself over.
Once in place, it adds the following files to the infected PC.
- One out of five times it will use the autoexec.bat file to place a call to the 911 emergency system.
- The file asheild.pif is placed in the StartUp group in the Start Menu to hide the worm when the computer is booted.
- To hide the netstat utility the worm uses to scan the networks, netstat.pif is added to the infected PC.
- The payload of the worm is contained in the winsock.vbs file. On the 19th of the month, the worm will activate, and proceed to delete files in the C:\, C:\Windows, C:\Windows\System, C:\Windows\Command directories, thus overwriting the entire drive. After doing so, the following message is displayed "You Have Been Infected by Chode. You may now turn this piece of shit off!"
- A log of the worms infection is recorded in C:\Program Files\chode\chode.txt.
It can be found in hidden directories named chode, foreskin, or dickhair.
If you find that your computer is infected, you can eliminate it by following these steps:
- Delete the C:\Program Files\Chode directory
- Delete C:\Windows\Start Menu\Startup\ashield.pif
- Delete C:\Windows\Start Menu\Startup\netstat.pif
- Delete C:\Windows\Start Menu\Startup\winsock.vbs
One way to protect yourself from an attack is to disable file and print sharing on your computer. However, it is understood that the sharing of files is vital to certain businesses and networks, therefore the other remedy would be to password protect write access to the drive. In doing so, the script would be unable to write any files or create any directories on the drive, and the attack would fail.
Thus far no other reports of the virus have come other than those in Houston, Texas. It has been seen on America Online, NetZero, AT&T and MCI Worldcom, although it performs scans on the Bell South Net, Level3 Net, Mindspring, Earthlink, Air.Internet (Canada), and PSI Net ISPs as well.
Read the full memorandum from the NIPC and keep checking back as the story develops. You can also read the warning from Symantec for more information.