------- Blind-Carbon-Copy
X-Mailer: exmh version 2.0.3
Reply-to: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Virus Alert
Date: Mon, 03 Apr 2000 10:11:31 -0400
From: Paul Lussier <[EMAIL PROTECTED]>
[Note, I have sent this to many different sites, not just the folks here at
Mission Critical Linux ]
Hi all,
I have recently been made aware of a dangerous virus floating around the
internet which replicates itself via Windows Shares. It also takes advantage
of Internet connections and modems. I have confirmed this news with both the
FBI's NIPC (National Infrastructure Protection Center) site, and the
SANS (System Administration and Network Security) site. This is a real alert,
not a hoax. You can confirm this news for yourself at the following web sites:
http://www.nipc.gov/nipc/advis00-038.htm
http://www.sans.org/giac.htm
Following is a forward of the bulletin that SANS sent out which includes the
proper defensive actions to take. Should you discover that you are a victim
of this attack, do not hesitate to let me (or your local systems
administrator) know.
Thanks,
Seeya,
Paul
> R U S H - K I L L E R V I R U S A L E R T!
>
> At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
> the FBI announced it had discovered malicious code wiping out the data
> on hard drives and dialing 911. This is a vicious virus and needs to
> be stopped quickly. That can only be done through wide-scale individual
> action. Please forward this note to everyone who you know who might
> be affected.
>
> The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
>
> The 911 virus is the first "Windows shares virus." Unlike recent
> viruses that propagate though eMail, the 911 virus silently jumps
> directly from machine to machine across the Internet by scanning
> for, and exploiting, open Windows shares. After successfully
> reproducing itself in other Internet-connected machines
> (to assure its continued survival) it uses the machine's modem to
> dial 911 and erases the local machine's hard drive. The virus is
> operational; victims are already reporting wiped-out hard drives.
> The virus was launched through AOL, AT&T, MCI, and NetZero in the
> Houston area. The investigation points to relatively limited
> distribution so far, but there are no walls in the Internet.
>
> -----------------
> Action 1: Defense
> -----------------
> Verify that your system and those of all your coworkers, friends, and
> associates are not vulnerable by verifying that file sharing is
> turned off.
>
> * On a Windows 95/98 system, system-wide file sharing is managed by
> selecting My Computer, Control Panel, Networks, and clicking on the
> File and Print Sharing button. For folder-by-folder controls, you
> can use Windows Explorer (Start, Programs, Windows Explorer) and
> highlight a primary folder such as My Documents and then right mouse
> click and select properties. There you will find a tab for sharing.
>
> * On a Windows NT, check Control Panel, Server, Shares.
>
> For an excellent way to instantly check system vulnerability, and for
> detailed assistance in managing Windows file sharing, see: Shields
> Up! A free service from Gibson Research (http://grc.com/)
>
> -------------------
> Action 2: Forensics
> -------------------
> If you find that you did have file sharing turned on, search your
> hard drive for hidden directories named "chode", "foreskin", or
> "dickhair" (we apologize for the indiscretion - but those are the
> real directory names). These are HIDDEN directories, so you must
> configure the Find command to show hidden directories. Under the
> Windows Explorer menu choose View/Options: "Show All Files".
>
> If you find those directories: remove them.
>
> And, if you find them, and want help from law enforcement, call the
> FBI National Infrastructure Protection Center (NIPC) Watch Office
> at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
> job of getting data out early on this virus and deserves both kudos
> and cooperation.
>
> You can help the whole community by letting both the FBI and
> SANS ([EMAIL PROTECTED]) know if you've been hit, so we can
> monitor the spread of this virus.
>
> --------------
> Moving Forward
> --------------
> The virus detection companies received a copy of the code for the
> 911 Virus early this morning, so keep your virus signature files
> up-to-date. We'll post new information at www.sans.org as it
> becomes available.
>
> Prepared by:
> Alan Paller, Research Director, The SANS Institute
> Steve Gibson, President, Gibson Research Corporation
> Stephen Northcutt, Director, Global Incident Analysis Center
------- End of Blind-Carbon-Copy
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
