DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
Also known as Chode, Foreskin and BAT911.
This worm uses multiple BAT files and some system programs to spread itself to shared
drives on known ISPs. It scans the following ISPs for open file shares:
att.net (ATT Worldnet)
bellsouth.net (BellSouth Net)
level3.net (Level3 Net)
aol.com (America Online)
mindspring.com (Mindspring)
earthlink.net (Earthlink)
air.on.ca (Air.Internet in Canada)
psi.net (PSInet)
Obviously, it wouldn't be too difficult to modify this worm to scan other IP ranges for
shares.
It appears that the worm will only work on Win9x, DOS, Win 3.x boxes and not NT or Win2K.
From reading the technical details at http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html
(might get wrapped) the worm relies on autoexec.bat, win.com and winsock.vbs in
order
to run. Again, it is probably possible to modify this worm to effect NT/Win2K.
Attached is the advisory from nipc.gov. Sans also posted a warning on April 1, 2000.
But, I think a lot of us wrote it off as an April fools joke.This one isn't a joke.
I am currently attempting to get a hold of this worm to analyse the code in my lab and, if
further information is found, I will post it to the list.
In order for the worm to dial 911, it adds entries to the sytems AUTOEXEC.BAT, basically a
script that sends the command to your com port. So, in the NT/Win2000 world, this
would not work.
The internet scanning/spreading part of the worm, would be effective under NT as long as
it is able to find open shares on NT boxes. When I say open, I mean that the share
must be writeable by an anonymous user.
The file deletion part of the worm would also not effect NT/Win2000 because the worm
attempts to delete
C:\Windows
C:\Windows\Command
C:\Windows\System
Default NT installs in the \WINNT directory.
The worm does however attempt to delete C:\ which of course will effect NT/Win2K provided
your file permissions allow it. From the information I have seen, when the VBS
Script attempts to delete only files in the above listed directories, it does not touch
the directories themselves. So, again
in the NT world, while you would have a pretty little error message when you reboot, its
not difficult to recover from.
Personally, for NT/Win2000 boxes I consider this to be a low risk virus, yes, I have
updated virus signature files, but no, I didn't lose any sleep over this one.
I have seen multiple alerts from different organizations and I think a lot of them are
hyping this more than they should. If you have a Win9x box be concerned. If
you are running NT/Win2K double check your file permissions so you are not contributing to
the spread of this worm.
http://www.nipc.gov/nipc/advis00-038.htm
------------------------
SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM
ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT
1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND
DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND
DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL ANALYSIS
CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING CHARACTERISTICS:
A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND
PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS.
B. OVERWRITE VICTIM HARD DRIVES.
C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY AUTHORITIES
TO CHECK OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS).
2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY
LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH
SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH FOUR
INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO).
DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED CHODE,
FORESKIN OR DICKHAIR. FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES.
3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO
USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT
202-323-3204/3205/3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION ABOUT
THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH THE
CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE (www.nipc.gov),
AS APPROPRIATE.
Info and IP Addresses as per Trend Micro:
BAT_CHODE911 does not use email to spread itself. This Trojan worm uses
several Batch files (*.BAT) to spread via the Internet. It searches for an
accessible Subnet on several ISPs to find accessible shared drives and maps
it to copy itself on it. It looks for IP addresses that start with the
following:
206. XXX.YYY.ZZZ
209. XXX.YYY.ZZZ
200. XXX.YYY.ZZZ
199. XXX.YYY.ZZZ
216. XXX.YYY.ZZZ
208. XXX.YYY.ZZZ
165. XXX.YYY.ZZZ
205. XXX.YYY.ZZZ
171. XXX.YYY.ZZZ
12.73.YYY.ZZZ
The worm scans the Subnet starting from xxx.244.100.100 up to
xxx.255.255.255 (XXX.YYY.ZZZ) to look for an accessible Shared Drive. If it
cannot find an accessible shared drive, it repeats the scanning of Subnets.
Once it finds an accessible shared drive, it first checks if this shared
drive is the Drive C: If it is the Drive C:, it maps this shared drive using
drive J:. After mapping it, the worm checks for previous infection on the
said drive. If the drive is already infected, it starts all over again from
the start using other Subnets. Hence, if the drive is not yet infected the
worm checks if the drive is shared with write access; if it is shared with
write access, the worm copies itself on to the shared drive.
The worm creates a hidden folder C:\Progra~1\Foreskin and copies all of its
accompanied files on it. The files ashield.pif , netstat.pif, and
winsock.vbs are then copied into the Program-StartUp of the infected
machine. So that the worm is executed automatically upon start up. The file
winsock.vbs contains the payload, which deletes files from the following
folders on the 19th day of the month:
C:\Windows,
C:\Windows\System
C:\Windows\Command
C:\
And then it displays two message boxes containing the text:
You Have Been Infected By Chode
You may now turn this piece of shit off!
One of five times, the worm modifies the AUTOEXEC.BAT and adds the line that
dials the Number 911 using the modem. This is done with the use of the
computer's COM ports.
It then Formats drives D:, E:, F:, G: and H:, and displays the following
text before formatting Drive C:
"You have been slammed by foreskin mOThERfUCKER"