Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today <fwd>

Gibbs, S Julian s.julian.gibbs at VANDERBILT.EDU
Mon Apr 3 10:59:27 PDT 2000

Looks like we should get on this one FAST!!!

--- Begin Forwarded Message ---
Date: Mon, 3 Apr 2000 09:40:05 -0500 (Central Daylight Time)
From: Dave Palmer <dave.palmer at>
Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard
Drives Today <fwd>
Sender: owner-antivirus at
To: Antivirus List <antivirus at>

Reply-To: Dave Palmer <dave.palmer at>
Message-ID: <SIMEON.10004030905.A at>

Yet another reminder to enable ONLY those services you need, use all available
protection mechanisms (e.g., passwords, read-only access), use an anti-virus
scanning program, and keep that antivirus program up to date!


--- Begin Forwarded Message ---
Date: Sat, 1 Apr 2000 14:51:09 -0700 (MST)
From: The SANS Institute <sans at>
Subject: Virus Alert: FBI Finds 911 Virus Wiping Out Hard Drives Today
Sender: The SANS Institute <sans at>

Reply-To: The SANS Institute <sans at>
Message-ID: <2000040125229.QDO92911 at server1.SANS.ORG>

From: The SANS Institute Research Office
Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users

At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
the FBI announced it had discovered malicious code wiping out the data on
hard drives and dialing 911.  This is a vicious virus and needs to
be stopped quickly. That can only be done through wide-scale
individual action.  Please forward this note to everyone who you
know who might be affected.

The FBI Advisory is posted at

The 911 virus is the first "Windows shares virus." Unlike recent
viruses that propagate though eMail, the 911 virus silently jumps
directly from machine to machine across the Internet by scanning
for, and exploiting, open Windows shares. After successfully
reproducing itself in other Internet-connected machines
(to assure its continued survival) it uses the machine's modem to
dial 911 and erases the local machine's hard drive. The virus is
operational; victims are already reporting wiped-out hard drives.
The virus was launched through AOL, AT&T, MCI, and NetZero in the
Houston area.  The investigation points to relatively limited
distribution so far, but there are no walls in the Internet.

Action 1: Defense

Verify that your system and those of all your coworkers, friends, and
associates are not vulnerable by verifying that file sharing is
turned off.

* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button.  For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right mouse
click and select properties.  There you will find a tab for sharing.

* On a Windows NT, check Control Panel, Server, Shares.

For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields
Up! A free service from Gibson Research (

Action 2: Forensics

If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files".

If you find those directories: remove them.

And, if you find them, and want help from law enforcement, call the
FBI National Infrastructure Protection Center (NIPC) Watch Office
at 202-323-3204/3205/3206.  The FBI/NIPC has done an extraordinary
job of getting data out early on this virus and deserves both kudos
and cooperation.

You can help the whole community by letting both the FBI and
SANS (intrusion at know if you've been hit, so we can
monitor the spread of this virus.

Moving Forward

The virus detection companies received a copy of the code for the
911 Virus early this morning, so keep your virus signature files

We'll post new information at as it becomes available.

Prepared by:
Alan Paller, Research Director, The SANS Institute
Steve Gibson, President, Gibson Research Corporation
Stephen Northcutt, Director, Global Incident Analysis Center

--- End Forwarded Message ---

...Dave Palmer, Academic Computing     dave.palmer at
      & Information Services
   Vanderbilt University               Phone : 1-615-343-1604
   143 Hill Ctr./PD Box 34             FAX   : 1-615-343-1605
   Nashville, TN  37240    USA

--- End Forwarded Message ---

S. Julian Gibbs, DDS, PhD               Voice: 615-322-3190
Professor of Radiology                    FAX: 615-322-3764
Dept. of Radiology & Radiological Sciences
Vanderbilt University Medical Center
Nashville TN 37232-2670        Email:j.gibbs at
"Under democracy one party always devotes its chief energies
to trying to prove that the other party is unfit to
rule -- and both commonly succeed, and are right."
                -- H. L. Mencken (1880-1956)

More information about the Oradlist mailing list