[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another real virus. Seems to affect all with W95 and later



PureBytes Links

Trading Reference Links

This press release comes from F-Secure. For more
information on F-Secure's mailing list policy,
see end of message.


Press release

F-SECURE CORPORATION SOLVED THE MYSTERY 911-CALLING INTERNET WORM

Firkin worm spreads to Internet-connected PCs

Espoo, Finland, April 2, 2000 - F-Secure Corporation, a leading provider
of centrally-managed, widely distributed security solutions, has analysed
a new internet worm known as Firkin or Chode. This worm attempts to cause
a denial-of-service attack against the 911 emergency hotline. F-Secure 
Anti-Virus detects and disinfects the worm.

Firkin is a family of closely-related internet worms. They have been
written entirely in the simple DOS batch language. These worms replicate
further over the internet, infecting Windows-based computers which have
their hard drive shared to the world. Many users accidentally share
their whole hard drive and when they connect to the internet, anybody
can access it. The worm uses this vulnerability to spread further.

When the Firkin worm is started, it searches a wide range of machines
connected to the Internet. The search is targeted at computers using
some of the largest ISPs (Internet Service Providers) in the world,
including AT&T, America Online, MCI and Earthlink.

The worm scans every machine to find one which has shared its hard
drive. When such a system is found, the worm copies itself to the
target computer and modifies its system in such a way that the worm is 
executed the next time the system is booted.

At this time, the virus might add a routine that calls the 911
emergency number using a modem every time the infected system is
booted. This routine is injected into the host system at random and
is not present in every infected computer.

The result of this routine is that every time such a system is
restarted, the computer silently dials a normal phone call to 911.
Since it is standard procedure in many locations for the emergency
services to dispatch a unit to the location of an incoming 911 call,
the results can be quite serious, possibly causing delays in
responding to real calls.

Depending on the exact variant of the worm, it might also attempt
to delete all files from several directories on the computer and
display messages on screen. The deletion of files is programmed to
happen on the 19th of every month.

The worm code contains several text strings, including:

     fOREsKIN sElf rEPlIcAToR vERSION 1.07c final CHAoS
     (C) 2000 EMD LABS INC rAndOm dEvIStAtOr
     nOt pErFECt, bUt iT sERvES iTS pUrPosE....bAtCh fIlE pROgRAMmINg

The FBI discovered one variant of this worm during a 'recent and
breaking' case.

"This is a serious denial-of-service attack against the 911 emergency
system," comments Mikko Hypponen, Manager of Anti-Virus Research at
F-Secure Corporation. "The only bright side to the situation is that
this worm is unlikely to cause damage outside North America". The
ISPs the worm is attacking operate mainly in the USA, and 911
is used as an emergency number primarily in North America.

Infected systems can easily be spotted by checking whether the
"C:\Program Files" folder contains a new hidden folder called either
"Chode", "Foreskin" or "Dickhair". To see hidden folders with Windows
Explorer, turn on the "Show all files" setting from Explorer options.

F-Secure Anti-Virus can be used to detect and disinfect this worm.
Free evaluation copies of F-Secure Anti-Virus are available at:
http://www.F-Secure.com/download-purchase/

Further technical information of the Firkin worm is be available at:
http://www.F-Secure.com/virus-info/

About F-Secure Corporation

F-Secure Corporation  is a leading developer of centrally managed, widely
distributed security solutions. The company offers a full range of
award-winning, integrated anti-virus, file encryption and VPN solutions for
workstations, servers and gateways. F-Secure Corporation  products and
Framework are uniquely suited for delivery of Security as a Service™ by
enterprise IT departments as well as a wide range of partners including
ISPs, outsourcing firms and ASPs. For the end-user, Security as a Service
is invisible, automatic, reliable, always-on, and up-to-date. For the
administrator, Security as a Service means policy-based management, instant
alerts, and centralized management of a widely-distributed user base.

Founded in 1988, F-Secure Corporation is listed on the Helsinki Stock
Exchange (HEX: FSC). The company is headquartered in Espoo, Finland with
North American headquarters in San Jose, California, as well as offices in
Canada, Germany, China, France, Japan and the United Kingdom. F-Secure
Corporation is supported by a network of VARs and Distributors in over 90
countries around the globe.

For more information, please contact

Finland:
F-Secure Corporation
Mr. Mikko Hyppönen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
Tel +358 9 8599 0513
Fax +358 9 8599 0599
E-mail: Mikko.Hypponen@xxxxxxxxxxxx

USA:
F-Secure Inc.
Mr. Dan Takata, Manager, Training Division, Professional Services
675 N. First Street, 8th Floor
San Jose, CA 95112
Tel. +1 408 938 6700,
Fax  +1 408 938 6701
e-mail Dan.Takata@xxxxxxxxxxxx

http://www.F-Secure.com/

Mailing list policy

You have previously expressed interest in our products, or have asked
to be included on one of our press release lists by personally giving us
your e-mail address for this purpose.Our mailing list are for the
exclusive use and the expressed purpose of F-Secure and are not
sold or or given to third parties.

If you no longer wish to receive our press releases, or your email address
has been added to our lists without your consent, you can unsubscribe at
http://www.F-Secure.com/news/subscribe.html

If you only wish to receive our press releases concerning viruses,
please go to
http://www.F-Secure.com/news/subscribe.html
and first unsubscribe from
press-english-interest@xxxxxxxxxxxxxxxxxx
and then subscribe to
press-english-virus-announcement@xxxxxxxxxxxxxxxxxx
________________________________________________

  Marita Nasman-Repo             tel:    +358 9 8599 0613
  Communicator           fax :   +358 9 8599 0599
                                 mobile: +358 40 517 4613

  F-Secure Corporation   http://www.F-Secure.com

  F-Secure products: Security for the mobile, distributed enterprise
__________________________________________________