Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
"Windows Shares Worm" Found!

At 8:00 AM, Saturday morning, April 1st — this is NOT an April Fools joke — the FBI announced the existence of a self-replicating, i.e. viral worm, that moves from machine to machine across the Internet by exploiting open Windows shares!

Because of the unfortunate timing of this announcement on April 1st, this could be mistaken for an April Fools prank — it is not! Therefore, here is a link to the FBI notice at the National Infrastructure Protection Center (NIPC)

It was bound to happen sooner or later . . . it has happened NOW: Viral code combining a Windows shares scanner with Windows file sharing to locate and copy itself into other Internet-connected Windows machines across the Internet! Because of the vast number of Windows machines with exposed, shared, directories visible to the Internet, this represents a significant new threat.

Fortunately, people who have previously visited the
ShieldsUP! site will probably be safe, but millions
of machines are still at significant risk.

The SANS Institute has dubbed this the "911" worm because shortly before erasing the user's entire hard drive it uses the system's modem to dial 911, producing a large number of "false positive" emergency calls.

Strictly speaking this is a "worm" more than a "virus" since worms propagate and reproduce themselves without any sort of user involvement or action, whereas a virus requires some inadvertent action on the part of the user. This is the second such worm to have been found "in the wild" and, interestingly, this one knows about and deletes its predecessor when encountered. (A jealous worm?) The worm's payload triggers on the 19th of the month, deleting files from crucial Windows system directories. (You want to be very sure that your system is not infected with it at that time!)

It is not a "high tech" worm, since it was written in the Visual Basic Scripting language. But what's sad — and should be frightening — is that the creation of such a serious and quite damaging Internet threat has become so easy for the "script kiddies."

 Preventing Propagation and Reproduction:

Are your shields up? If you have not done so already, be certain that your own Windows system is not exposing any open directories to the Internet. And then, most importantly, spread the word to any Internet-connected friends, relatives, and associates who might not have already taken these precautions.

It is more important now than ever, because now
we have predatory viruses capable of roaming the
Internet and jumping from machine to machine
without anyone being aware!

As you know, the ShieldsUP! web site is here to help everyone quickly check their systems for known Windows file sharing vulnerabilities. PLEASE encourage everyone to take advantage of this completely free service so that the spread of this frighteningly potent and highly destructive virus can be stopped quickly!

 Detecting the Virus' Presence:

The anti-virus companies have already received virus patterning data from the FBI. Check for updates which recognize the new 911 Virus.

Here's Symantec's page for users of their anti-viral scanner:

And here's a link to McAfee / Network Associates page:

And Sophos has two pages describing the two variants they've seen:

You can scan your system for the following three HIDDEN directories which the 911 virus is known to create: "chode", "foreskin", and "dickhair". <<sigh>> Yes, the author(s) of this virus are apparently not very mature. Classic "script kiddie" nonsense.

IMPORTANT NOTE: Before scanning with the Windows "Find" function, you must be certain that your Windows Explorer is configured to display hidden files and directories: Under the Windows Explorer View/Options menu, select "Show All Files."

If any of the directories listed above
are found, delete them immediately!!

I am certain that we have not seen the last of this sort of virus. Please do what you can to educate your friends, relatives, and associates about the dangers of indiscriminate Windows file sharing over the Internet.

They are always welcome to visit the ShieldsUP! web site to test or verify their security and learn more about the risks of careless Internet use.

Thanks for your attention. Spread the word!

To continue, please press your browser's BACK button.

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (3,852.01 days ago)Viewed 2 times per day