Internet Connection Security for Windows Users |
by Steve Gibson, Gibson Research Corporation |
"Windows Shares Worm" Found! At 8:00 AM, Saturday morning, April 1st this is NOT an April Fools joke the FBI announced the existence of a self-replicating, i.e. viral worm, that moves from machine to machine across the Internet by exploiting open Windows shares! Because of the unfortunate timing of this announcement on April 1st, this could be mistaken for an April Fools prank it is not! Therefore, here is a link to the FBI notice at the National Infrastructure Protection Center (NIPC) It was bound to happen sooner or later . . . it has happened NOW: Viral code combining a Windows shares scanner with Windows file sharing to locate and copy itself into other Internet-connected Windows machines across the Internet! Because of the vast number of Windows machines with exposed, shared, directories visible to the Internet, this represents a significant new threat.
ShieldsUP! site will probably be safe, but millions of machines are still at significant risk. The SANS Institute has dubbed this the "911" worm because shortly before erasing the user's entire hard drive it uses the system's modem to dial 911, producing a large number of "false positive" emergency calls. Strictly speaking this is a "worm" more than a "virus" since worms propagate and reproduce themselves without any sort of user involvement or action, whereas a virus requires some inadvertent action on the part of the user. This is the second such worm to have been found "in the wild" and, interestingly, this one knows about and deletes its predecessor when encountered. (A jealous worm?) The worm's payload triggers on the 19th of the month, deleting files from crucial Windows system directories. (You want to be very sure that your system is not infected with it at that time!) It is not a "high tech" worm, since it was written in the Visual Basic Scripting language. But what's sad and should be frightening is that the creation of such a serious and quite damaging Internet threat has become so easy for the "script kiddies."
Preventing Propagation and Reproduction:
we have predatory viruses capable of roaming the Internet and jumping from machine to machine without anyone being aware! As you know, the ShieldsUP! web site is here to help everyone quickly check their systems for known Windows file sharing vulnerabilities. PLEASE encourage everyone to take advantage of this completely free service so that the spread of this frighteningly potent and highly destructive virus can be stopped quickly!
Detecting the Virus' Presence:
Here's Symantec's page for users of their anti-viral scanner:
You can scan your system for the following three HIDDEN directories which the 911 virus is known to create: "chode", "foreskin", and "dickhair". <<sigh>> Yes, the author(s) of this virus are apparently not very mature. Classic "script kiddie" nonsense. IMPORTANT NOTE: Before scanning with the Windows "Find" function, you must be certain that your Windows Explorer is configured to display hidden files and directories: Under the Windows Explorer View/Options menu, select "Show All Files."
are found, delete them immediately!! I am certain that we have not seen the last of this sort of virus. Please do what you can to educate your friends, relatives, and associates about the dangers of indiscriminate Windows file sharing over the Internet. They are always welcome to visit the ShieldsUP! web site to test or verify their security and learn more about the risks of careless Internet use. Thanks for your attention. Spread the word!
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Oct 06, 2003 at 13:29 (7,732.87 days ago) | Viewed 3 times per day |