The following information was derived from information received from SANS, F-Secure, Network Associates, Symantec, Trend, Computer Associates, Command and Sophos.

Virus Characteristics

At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) the FBI announced it had discovered malicious code wiping out the data on hard drives and dialing 911. Due to the nature of the infection mechanism employed by this worm, Sensible Security feels that while home users should beware of this virus, it is not a great threat to large organizations.

The 911 worm is one of the first to exploit "Windows shares." Unlike recent viruses that propagate though email, the 911 Worm silently jumps directly from machine to machine across the Internet by scanning for, and exploiting, open Windows shares. After successfully reproducing itself in other Internet-connected machines (to assure its continued survival), one out of five times it uses the machine's modem to dial 911 and erases the local machine's hard drive. The worm is operational; victims are already reporting wiped-out hard drives. Additionally it contains code to ping various servers on a random basis in a loop until an error occurs (.c variant).

The spreading function first searches for a suitable target and tries to map the "c" drive of the attacked computer to the local drive name "j". In order to propagate the worm has to find a writeable C share, that is not protected by a password. Anti-Virus vendors recommend that you not share any drives or directories without assigning a password. During the complete spreading process, the worm prints information about the current attacked system etc., which are probably just debugging remnants. These messages are kept hidden from the user.

This worm randomly searches for open network shared drives in the subnets 12.73, 165, 171, 199, 200, 205, 206, 208, 209, and 216. Once it finds a shared network drive (C:), it copies itself to the victim's system. These subnets correspond to the following ISPs:

att.net (ATT Worldnet)
bellsouth.net (BellSouth Net)
level3.net (Level3 Net)
aol.com (America Online)
mindspring.com (Mindspring)
earthlink.net (Earthlink)
air.on.ca (Air.Internet in Canada)
psi.net (PSInet)

The worm is written in DOS Batch language (worm's components are mostly BAT files) and uses DOS box commands and a few external utilities to perform infection. The worm also includes a VBScript file. The worm is able to spread itself only in case Windows is installed in the directory named C:\WINDOWS\, so in case this directory name is different or Windows is installed on another drive, the worm fails to spread itself.

Payload

The virus chooses one of three payloads when triggered; the payloads are: the virus formats drive h:\ to c:\, the infected system dials the number 911 from the modem, and the virus copies itself to the victim's computer system.

Providing that a set of conditions are met, there is a 2 in 6 chance that the virus will alter a remote machine's AUTOEXEC.BAT file. When run on the remote machine the altered AUTOEXEC.BAT will attempts to unconditionally format the H:, G:, F:, E:, and D: hard drives. The code then displays the message

"You have been sLamMeD By fOREsKIN mOThERfUCKER"

before attempting to unconditionally format the C: drive.

There is a 3 in 6 chance that the virus will do nothing.

There is a 1 in 6 probability that the virus will attempt to dial 911 (the number of the emergency services in some countries). It attempts to do this via the COM1, COM2, COM3, and COM4 ports in turn.

The WINSOCK.VBS is launched when Windows starts on an infected computer. On the 19th of the month, this VBS script deletes files from the following directories:

C:\windows
C:\windows\system
C:\windows\command
C:\

Then, it displays two message boxes:

"You Have Been Infected By Chode"

"You may now turn this piece of shit off!"

The worm will log the infection in the file C:\PROGRAM FILES\chode\chode.txt or c:\PROGRAM FILES\foreskin\cool.txt of the source computer.

Several variants of this worm are known, all of them operate in the same fashion as described above with some minor differences:

Worm's directory:
Variants a,b: C:\PROGRA~1\FORESKIN\ (C:\Program Files\FORESKIN\)
Variant c: C:\PROGRA~1\CHODE\ (C:\Program Files\CHODE\)

Worm's components and additional utilities:
Variant a: A,B,C,D,E,F,G,H,I,J,ADD,FINAL,HIDE,SLAM - all are BAT files
ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window
MSTUM.BAT, MSTUM.PIF - main worm's BAT and PIF files

Variant b: A,B,C,D,E,F,G,H,I,J,ADD,ZULU,HIDE,SLAM - all are BAT files
ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window
MSTUM.BAT, MSTUM.PIF - main worm's BAT and PIF files

Variant c: ADD, RANDOM - additional BAT files
ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window
CHODE.BAT, NETSTAT.PIF - main worm's BAT and PIF files

Prevention and Manual Detection

Verify that your system and those of all your coworkers, friends, and associates are not vulnerable by verifying that file sharing is turned off.

On a Windows 95/98 system, systemwide file sharing is managed by selecting My Computer, Control Panel, Networks, and clicking on the File and Print Sharing button. For folder-by-folder controls, you can use Windows Explorer (Start, Programs, Windows Explorer) and highlight a primary folder such as My Documents and then right mouse click and select properties. There you will find a tab for sharing.

On a Windows NT, check Control Panel, Server, Shares.

If you find that you did have file sharing turned on, search your hard drive for hidden directories named "chode", "foreskin", or "dickhair" (we apologize for the indiscretion - but those are the real directory names).

These are HIDDEN directories, so you must configure the Find command to show hidden directories. Under the Windows Explorer menu choose View/Options: "Show All Files".

If you find those directories: remove them.

Manual Removal

1. Delete the C:\Program Files\Chode directory.
2. Delete the C:\Program Files\Foreskin directory.
3. Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF
4. Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF
5. Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS