Subject: National Infrastructure Protection  Center Information System Advisory (NIPC Sdvisory 00-038); Self-Propagating 911 Script

A recent and breaking FBI case has revealed the creation and dissemination of a self-propagating script that can erase hard drives and dial-up 911 emergency systems. while investigation and technical analysis continue, the script appears to include the following characteristics:

1. Actively search the internet for computer systems set up for file and print sharing and copy itself on to these systems.

2. Overwrite victim hard drives.

3. Cause victim systems to dial 911 (possibly causing emergency authorities to check out substantial numbers of "false positive" calls).

To this point case information and known victims suggest a relatively limited dissemination of this script in the houston, texas area, through source computers that scanned several thousand computers through four internet service providers (America On-Line, AT&T, MCI, and Netzero). disseminated script may be placed in hidden directories named chode, foreskin or dickhair. further script analysis by the fbi/nipc continues.

3. FBI/NIPC requests recipients immediately report information relating to use of this script to the local FBI or FBI/NIPC watch at 202-323-3204/3205/3206. as more technical or operational information about
this script develops, nipc will disseminate this information through the carnegie mellon cert, antivirus vendors or its own web site (www.nipc.gov),
as appropriate.
 

                     _______________________________

It is more commonly known as the 911 virus is a new malware that is currently spreading. It has many payloads, some of which are destructive. It randomly chooses one of three payloads when triggered:
It formats drive h:\ to c:\, the infected system dials the number 911 from the modem, and the Trojan copies itself to the victim's computer system. There are several variants of this Trojan that contain minor code changes.

It does not use email to spread itself. It uses several Batch files (*.BAT) to spread via the Internet. It searches for an accessible Subnet on several ISPs to find accessible shared drives and maps it to copy itself on it. It looks for IP addresses that start with the following:
206. AAA.BBB.CCC
209. AAA.BBB.CCC
200. AAA.BBB.CCC
199. AAA.BBB.CCC
216. AAA.BBB.CCC
208. AAA.BBB.CCC
165. AAA.BBB.CCC
205. AAA.BBB.CCC
171. AAA.BBB.CCC
12.73.AAA.BBB.CCC

It scans the Subnet starting from AAA.244.100.100 up to
AAA.255.255.255 (AAA.BBB.CCC) to look for an accessible Shared Drive. If it cannot find an accessible shared drive, it repeats
the scanning of Subnets.

Once it finds an accessible shared drive, it first checks if this shared drive is the Drive C: If it is the Drive C:, it maps this shared drive using drive J:. After mapping it, the worm checks for previous infection on the said drive. If the drive is already infected, it starts all over again from the start using other Subnets. Then if the drive is not yet infected the worm checks if the drive is shared with write access; if it is shared with write access, the worm copies itself on to the shared drive.

Then it creates a hidden folder C:\Progra~1\Foreskin and copies all of its accompanied files on it. The files ashield.pif , netstat.pif, and winsock.vbs are then copied into the Program-StartUp of the infected machine. So that the worm is executed automatically upon start up. The file winsock.vbs contains the payload, which deletes files from the following folders on the 19th day of the month:
C:\Windows,
C:\Windows\System
C:\Windows\Command
C:\
And then it displays two message boxes containing the text:
You Have Been Infected By Chode
You may now turn this piece of ****! off!

One of five times, the worm modifies the AUTOEXEC.BAT and adds the line that dials the Number 911 using the modem. This is done with the use of the computer's COM ports.

It then Formats drives D:, E:, F:, G: and H:, and displays the following text before formatting Drive C:
"You have been slammed by foreskin mOThER@!*****"

                        ______________________________

Delete any one or all the following directories if they exist:
C:\progra~1\chode,
C:\progra~1\foreskin,
C:\progra~1\dickhair

Delete the files ASHIELD.PIF, NETSTAT.PIF, and WINSOCK.VBS from the C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ folder.