W95/Firkin.worm (911 worm)


911 Share Virus, Bat/911, Bat/Chode.worm, Foreskin


Related Viruses

Related Downloads

Date Added

 Discovery Date:3/22/00
 Risk Assessment:Low
 Minimum DAT:4071 (3/29/00)
 Minimum Engine:4.0.35

NOTE: This virus is the same as noted in the FBI's NIPC group posted an alert on Saturday, April 1st, 2000.

The worm starts on an infected computer when the ashield.pif and mstum.pif files are copied to the windows\startm~1\programs\startup and run next time the computer is started.

A user does not need to run a VBScript file, or read an e-mail message to get infected; it spreads over open network shares.

ashield.pif runs hide.bat, which uses the utility ashield.exe to hide the window that the worm process would otherwise leave visible.

mstum.pif runs mstum.bat, which is the actual worm process which runs in the background.

The first thing mstum.bat does is pause 10 seconds before doing anything. Then mstum.bat runs final.bat, which randomly selects a subnet to scan.

Each of the files A.BAT, B.BAT, C.BAT, D.BAT, E.BAT, F.BAT, G.BAT, H.BAT, I.BAT, and J.BAT contains code to scan a different part of the Internet. By randomly selecting one of those batch files, and replacing MSTUM.BAT with a copy of it, the batch file randomly selects one of the subnets to scan:


MSTUM.BAT then calls ADD.BAT, which contains the routines for stepping through IP addresses on the subnet. The ADD.BAT also tries to run the file CHAOS.BAT.

When scanning, it uses the ping utility and Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:"!

It then tries to remove previous instances of itself, as well as the VBS/Netlog worm.

As a test, it creates the directory "zx" the root directory of the remote drive and checks to see whether it was successful. If it succeeds it copies all the worm files in the c:\progra~1\foreskin\ directory to the j:\progra~1\foreskin directory.

Then depending on a random number, it will add the file slam.bat to the c:\autoexec.bat file of the remote machine. The next time the remote machine is started, the modified autoexec.bat will at random, either try to call 911 on the computers modem, or try to format all the hard drives, from h:-c:, and display the message "You have been sLamMeD By fOREsKIN mOThERfUCKER"

Then it will copy the ashield.pif and mstum.pif files to the directory j:\windows\startm~1\programs\startup\ashield.pif

where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.

Then it will write the text:

[Remote IP address] was sucessfully infected with foreskin

to the file c:\PROGRA~1\foreskin\cool.txt, which is used as an infection log.

The FINAL.BAT contains the comments:

REM fOREsKIN sElf rEPlIcAToR vERSION 1.07c final CHAoS (C) 2000 EMD LABS INC
REM rAndOm dEvIStAtOr
REM nOt pErFECt, bUt iT sERvES iTS pUrPosE....bAtCh fIlE pROgRAMmINg
REM sInCe tHis vIrUs uSeS aN .eXe fILe iT cAn pOtEnTiAllY sPReAD otHeR vIRuSeS oThER tHAn iTsElF...cOoL!!!
REM wAs nOt cREaTED bY tHE sAMe pERsON tHAT wROtE tHe nETwORk.vBs sHIt
REM iT wAs jUsT iN mY wAy

Existence of the above mentioned files, computer calls 911.

Method Of Infection
Running this file will directly install to the local machine and then it will begin scanning for available shares over the Internet.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.