Monday April 03, 2000
FBI Most Wanted: A computer worm?

The FBI's National Information Protection Center is searching for more information on a computer worm spreading in the Houston area.

A largely unsuccessful computer worm has garnered national attention after an FBI agency posted a warning of the malicious code on its pages over the weekend.

On Saturday, the National Infrastructure Protection Center -- a joint agency created by the FBI and the Department of Justice to pursue cybercrime -- posted an advisory about the computer worm, dubbing it a "self-propagating 911 script."

"I think getting out the information is important," said Vincent Weafer, director of Symantec Corp.'s Antivirus Research Center, which posted information on the worm last Friday. "I can understand why -- in the case of the 911 system -- they put up a report." The NIPC was not available for comment by press time.

According to the April 1 advisory, and information from anti-virus software makers, the worm code is actually several batch files -- each a collection of commands -- that run on Windows 95 and 98.

After an infected computer boots up and goes online, the batch files command the computer to "ping" the Internet addresses belonging to eight domains: ATT.net, BellSouth.net, Level3.net, AOL.com, Mindspring.com, Earthlink.net, Air.on.ca, and PSI.net. When a target computer using a pinged address responds, the batch file checks to see if the computer is sharing an unprotected hard drive. If so, it infects it.

According to the NIPC, the worm has not had much success in spreading. "To this point, case information and known victims suggest a relatively limited dissemination of this script (worm) in the Houston, Texas area," stated the advisory.

For the NIPC and the FBI, the worm's worst aspect is that 20 percent of infected computers will dial 911 emergency services upon startup.

When the worm copies itself to a new computer, one out of five times it modifies the new machine's autoexec.bat file, causing it to dial 911 when during startup.

Nothing new
Despite the concern, that's nothing new, said Weafer. "Certainly we have had a number of 911 viruses in the past," he said. However, he added that the danger resides in copycats who may create a better and faster spreading virus.

"Certainly if someone was try and copy cat this and was more successful, it would be a very bad thing," he said.

The worm can be deleted by deleting the C:Program FilesChode directory and the following three files:

C:WindowsStart MenuStartupashield.pif

C:WindowsStart MenuStartupnetstat.pif

C:WindowsStart MenuStartupwinsock.vbs

The worm as been dubbed BAT.Chode.Worm and BAT_Chode911 by anti-virus firms.

ZDNET

Back To The Study