------- Blind-Carbon-Copy X-Mailer: exmh version 2.0.3 Reply-to: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Virus Alert Date: Mon, 03 Apr 2000 10:11:31 -0400 From: Paul Lussier <[EMAIL PROTECTED]> [Note, I have sent this to many different sites, not just the folks here at Mission Critical Linux ] Hi all, I have recently been made aware of a dangerous virus floating around the internet which replicates itself via Windows Shares. It also takes advantage of Internet connections and modems. I have confirmed this news with both the FBI's NIPC (National Infrastructure Protection Center) site, and the SANS (System Administration and Network Security) site. This is a real alert, not a hoax. You can confirm this news for yourself at the following web sites: http://www.nipc.gov/nipc/advis00-038.htm http://www.sans.org/giac.htm Following is a forward of the bulletin that SANS sent out which includes the proper defensive actions to take. Should you discover that you are a victim of this attack, do not hesitate to let me (or your local systems administrator) know. Thanks, Seeya, Paul > R U S H - K I L L E R V I R U S A L E R T! > > At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!) > the FBI announced it had discovered malicious code wiping out the data > on hard drives and dialing 911. This is a vicious virus and needs to > be stopped quickly. That can only be done through wide-scale individual > action. Please forward this note to everyone who you know who might > be affected. > > The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm > > The 911 virus is the first "Windows shares virus." Unlike recent > viruses that propagate though eMail, the 911 virus silently jumps > directly from machine to machine across the Internet by scanning > for, and exploiting, open Windows shares. After successfully > reproducing itself in other Internet-connected machines > (to assure its continued survival) it uses the machine's modem to > dial 911 and erases the local machine's hard drive. The virus is > operational; victims are already reporting wiped-out hard drives. > The virus was launched through AOL, AT&T, MCI, and NetZero in the > Houston area. The investigation points to relatively limited > distribution so far, but there are no walls in the Internet. > > ----------------- > Action 1: Defense > ----------------- > Verify that your system and those of all your coworkers, friends, and > associates are not vulnerable by verifying that file sharing is > turned off. > > * On a Windows 95/98 system, system-wide file sharing is managed by > selecting My Computer, Control Panel, Networks, and clicking on the > File and Print Sharing button. For folder-by-folder controls, you > can use Windows Explorer (Start, Programs, Windows Explorer) and > highlight a primary folder such as My Documents and then right mouse > click and select properties. There you will find a tab for sharing. > > * On a Windows NT, check Control Panel, Server, Shares. > > For an excellent way to instantly check system vulnerability, and for > detailed assistance in managing Windows file sharing, see: Shields > Up! A free service from Gibson Research (http://grc.com/) > > ------------------- > Action 2: Forensics > ------------------- > If you find that you did have file sharing turned on, search your > hard drive for hidden directories named "chode", "foreskin", or > "dickhair" (we apologize for the indiscretion - but those are the > real directory names). These are HIDDEN directories, so you must > configure the Find command to show hidden directories. Under the > Windows Explorer menu choose View/Options: "Show All Files". > > If you find those directories: remove them. > > And, if you find them, and want help from law enforcement, call the > FBI National Infrastructure Protection Center (NIPC) Watch Office > at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary > job of getting data out early on this virus and deserves both kudos > and cooperation. > > You can help the whole community by letting both the FBI and > SANS ([EMAIL PROTECTED]) know if you've been hit, so we can > monitor the spread of this virus. > > -------------- > Moving Forward > -------------- > The virus detection companies received a copy of the code for the > 911 Virus early this morning, so keep your virus signature files > up-to-date. We'll post new information at www.sans.org as it > becomes available. > > Prepared by: > Alan Paller, Research Director, The SANS Institute > Steve Gibson, President, Gibson Research Corporation > Stephen Northcutt, Director, Global Incident Analysis Center ------- End of Blind-Carbon-Copy ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************