TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

Bat/Firkin.Worm family (also known as 911)

Bat/Firkin.Worm family The NIPC (U.S. National Infrastructure Protection Center - formed by the FBI) issued an advisory on the weekend concerning a family of batch worms that can propagate through Windows networks, erase hard drives and dial the 911 emergency line, possibly overloading the emergency response system. The advisory can be found at http://www.nipc.gov/nipc/advis00-038.htm The Firkin family consists of several batch files and there are three family members known right now. Variants of the worm contain code to wait for the 19th day of a month and then delete the following directories: "c:\windows\*.*" "c:\windows\system\*.*" "c:\windows\command\*.*" "c:\*.*" and afterwards displays the messages: "You Have Been Infected By Chode" "You may now turn this piece of s--t off!" The worm may change the Autoexec.bat file to call the emergency number 911 on each system start using an attached modem. Additionally it contains code to ping various servers on a random basis in a loop until an error occurs (.c variant). The spreading function first searches for a suitable target and tries to map the "c" drive of the attacked computer to the local drive name "j". In order to propagate, the worm has to find a writeable C share that is not protected by a password. Computer Associates recommends in general, not to share any drives or directories without assigning a password. During the complete spreading process, the worm prints information about the current attacked system etc., which are probably just debugging remnants. These messages are kept hidden from the user. If the attacked system does not have special files or directories (e.g. the .c version is looking for the file "c:\windows\win.com") the worm quits the replication process. The worm checks for signs of infections from other worms or family members and performs dependent operations. If all spreading conditions are fulfilled, then the virus copies itself using the ordinary copy operation. Additionally some variants overwrite with a random chance the "autoexec.bat" (e.g. 1/6 based on a random value for the .c version) file, and inserts code which formats, and performs other operations, on the following hard drives: C, D, E, F, G, H . Update all your virus signatures!!!!

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0