FYI: followup on 911 "share" virus.

David Collier-Brown - Sun Canada davecb at
Fri Apr 7 11:25:39 GMT 2000

The SANS Institute <sans at> wrote:
| This week saw many immediate alerts (including those from SANS and NIPC)
| about the "911" virus. Symantec has dubbed it "BAT.Chode.Worm." The
| virus is actually a set of batch files; its propagation method is
| similar to "net use /yes j: \\RANDOM-IP" and it attempts to find
| nonpassword protected shares on a system (presumably Microsoft Windows
| 95/98). The actual modem interaction portion is due to a "echo A | echo
| ATDT 911 | COM2" type of command. Note that there seems to be at least
| three variants of this virus. More information can be found at:

David Collier-Brown in Boston
Phone: (781) 442-0734, Room BUR03-3632

More information about the samba mailing list