SAN INstitute "911 virus" (using SMB)

David Collier-Brown - Sun Canada davecb at
Sun Apr 2 20:33:39 GMT 2000

I verified this is from SANS, and there is a FBI advisory --dave
------------- Begin Forwarded Message -------------

From: The SANS Institute <sans at>
Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today
To: David Collier-Brown (SD143961) <davecb at>

To:   David Collier-Brown (SD143961)
From: The SANS Institute Research Office
Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users 

At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
the FBI announced it had discovered malicious code wiping out the data on
hard drives and dialing 911.  This is a vicious virus and needs to
be stopped quickly. That can only be done through wide-scale 
individual action.  Please forward this note to everyone who you 
know who might be affected.

The FBI Advisory is posted at

The 911 virus is the first "Windows shares virus." Unlike recent 
viruses that propagate though eMail, the 911 virus silently jumps 
directly from machine to machine across the Internet by scanning 
for, and exploiting, open Windows shares. After successfully 
reproducing itself in other Internet-connected machines
(to assure its continued survival) it uses the machine's modem to
dial 911 and erases the local machine's hard drive. The virus is
operational; victims are already reporting wiped-out hard drives.
The virus was launched through AOL, AT&T, MCI, and NetZero in the
Houston area.  The investigation points to relatively limited
distribution so far, but there are no walls in the Internet.

Action 1: Defense

Verify that your system and those of all your coworkers, friends, and
associates are not vulnerable by verifying that file sharing is
turned off.

* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button.  For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right mouse
click and select properties.  There you will find a tab for sharing.

* On a Windows NT, check Control Panel, Server, Shares.

For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields
Up! A free service from Gibson Research (

Action 2: Forensics

If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files".

If you find those directories: remove them.

And, if you find them, and want help from law enforcement, call the 
FBI National Infrastructure Protection Center (NIPC) Watch Office 
at 202-323-3204/3205/3206.  The FBI/NIPC has done an extraordinary 
job of getting data out early on this virus and deserves both kudos 
and cooperation.

You can help the whole community by letting both the FBI and 
SANS (intrusion at know if you've been hit, so we can 
monitor the spread of this virus.

Moving Forward

The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files

We'll post new information at as it becomes available.

Prepared by:
Alan Paller, Research Director, The SANS Institute
Steve Gibson, President, Gibson Research Corporation
Stephen Northcutt, Director, Global Incident Analysis Center

------------- End Forwarded Message -------------

More information about the samba mailing list