Mailinglist Archive: opensuse (3104 mails)

< Previous Next >
[SLE] [Fwd: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today]
  • From: reillyie@xxxxxxxx (Ian Reilly)
  • Date: Sat, 01 Apr 2000 16:35:40 -0500
  • Message-id: <38E66BAC.EF519094@xxxxxxxx>

Just received this from SANS and i figure enough of you are running win
boxs to warrant it. this is not a joke.
Just thought you should know!


-------- Original Message --------
Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today
Date: Sat, 1 Apr 2000 14:04:52 -0700 (MST)
From: The SANS Institute <sans@xxxxxxxx>
To: Ian Reilly (SD463120) <ian@xxxxxxxx>

To: Ian Reilly (SD463120)
From: The SANS Institute Research Office
Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users

At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
the FBI announced it had discovered malicious code wiping out the data
hard drives and dialing 911. This is a vicious virus and needs to
be stopped quickly. That can only be done through wide-scale
individual action. Please forward this note to everyone who you
know who might be affected.

The FBI Advisory is posted at

The 911 virus is the first "Windows shares virus." Unlike recent
viruses that propagate though eMail, the 911 virus silently jumps
directly from machine to machine across the Internet by scanning
for, and exploiting, open Windows shares. After successfully
reproducing itself in other Internet-connected machines
(to assure its continued survival) it uses the machine's modem to
dial 911 and erases the local machine's hard drive. The virus is
operational; victims are already reporting wiped-out hard drives.
The virus was launched through AOL, AT&T, MCI, and NetZero in the
Houston area. The investigation points to relatively limited
distribution so far, but there are no walls in the Internet.

Action 1: Defense

Verify that your system and those of all your coworkers, friends, and
associates are not vulnerable by verifying that file sharing is
turned off.

* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button. For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right mouse
click and select properties. There you will find a tab for sharing.

* On a Windows NT, check Control Panel, Server, Shares.

For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields
Up! A free service from Gibson Research (

Action 2: Forensics

If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files".

If you find those directories: remove them.

And, if you find them, and want help from law enforcement, call the
FBI National Infrastructure Protection Center (NIPC) Watch Office
at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
job of getting data out early on this virus and deserves both kudos
and cooperation.

You can help the whole community by letting both the FBI and
SANS (intrusion@xxxxxxxx) know if you've been hit, so we can
monitor the spread of this virus.

Moving Forward

The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files

We'll post new information at as it becomes available.

Prepared by:
Alan Paller, Reserach Director, The SANS Institute
Steve Gibson, President, Gibson Research Corporation
Stephen Northcutt, Director, Global Incident Analysis Center

To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at

< Previous Next >
Follow Ups