The FBI's NIPC (National Infrastructure Protection Center) division announced a virus that is causing problems in the Houston, TX area. This latest propagator of malicious logic cannot only format your hard drives; it can call for help too.
The Perpetrator
BAT.chode.worm is a self propagating script that "actively searches the Internet for computer systems set up for file and print sharing and copies itself to these systems" according to a representative of the NIPC. A user doesn't need to execute a file or read an e-mail to become infected; it spreads via unrestricted network shares.
The worm is a member of the Firkin.Worm family and goes under several aliases: Chode, Foreskin, BAT911. It can spread through Windows networks, erase hard drives and dial 911. NIPC has informed us that by dialing 911 and giving a "false positive" the virus can cause police officers to make unnecessary visits to the home of the call's origin. Also, the virus has the potential to overload the emergency response system leading to denial of services to legitimate emergency calls.
The virus spreads by searching for a viable host and then mapping the "C" drive of the attacked computer to a local drive called "J". The host computer must have file and print sharing implemented to be attacked. Once you have become infected the virus will put the following files in place:
- 1 in 5 chance it will use the autoexec.bat file to place a call to 911
- A new file (asheild.pif) is placed in the Startup group to mask the worm during booting
- Netstat.pif is added to hide the scanning utility used by the worm
- The worm logs its infection in C:\program files\chode\chode.txt
- Winsock.vbs file is added
Strains of the virus contain scripts that can render your computer useless. The payload is delivered in the winsock.vbs file. The "logic bomb" portion of the worm contains code that waits until the 19th of the month and then deletes the following directories:
- C:\windows\*.*
- C:\windows\system\*.*
- C:\windows\command\*.*
- C:\*.*
The worm may also change the autoexec.bat file to call 911 with your modem every time your system starts.
Signs of Infection include the addition of above mentioned files to your hard drive; loss of data in C:\windows and C:\ directories, and a message being displayed that reads "You have been infected by chode. You may now turn this piece of s-t off." Depending on the variation of the virus, the message may also read "You have been sLamMeD By fOREsKIN mOThERfU-ER."
Actions to Take
To prevent an infection, disable file and print sharing on your computer. While this is not a viable solution on most systems, you could password protect write access to you drives. This would prevent the worm from writing itself to your drive and all attacks would be ineffective.
As always, prevention is the best method of dealing with viruses. Never open files from unknown sources. Scan all attachments with anti-virus software, regardless of the source. Update your anti-virus software regularly.
