First published: 03rd April 2000
Firkin worm spreads to Internet-connected PCs
Espoo, Finland, April 2, 2000; Hong Kong, China, April 3, 2000 - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, has analysed a new internet worm known as Firkin or Chode. This worm attempts to cause a denial-of-service attack against the 911 emergency hotline. F-Secure Anti-Virus detects and disinfects the worm.
Firkin is a family of closely-related internet worms. They have been written entirely in the simple DOS batch language. These worms replicate further over the internet, infecting Windows-based computers which have their hard drive shared to the world. Many users accidentally share their whole hard drive and when they connect to the internet, anybody can access it. The worm uses this vulnerability to spread further.
When the Firkin worm is started, it searches a wide range of machines connected to the Internet. The search is targeted at computers using some of the largest ISPs (Internet Service Providers) in the world, including AT&T, America Online, MCI and Earthlink.
The worm scans every machine to find one which has shared its hard drive. When such a system is found, the worm copies itself to the target computer and modifies its system in such a way that the worm is executed the next time the system is booted.
At this time, the virus might add a routine that calls the 911 emergency number using a modem every time the infected system is booted. This routine is injected into the host system at random and is not present in every infected computer.
The result of this routine is that every time such a system is restarted, the computer silently dials a normal phone call to 911. Since it is standard procedure in many locations for the emergency services to dispatch a unit to the location of an incoming 911 call, the results can be quite serious, possibly causing delays in responding to real calls.
Depending on the exact variant of the worm, it might also attempt to delete all files from several directories on the computer and display messages on screen. The deletion of files is programmed to happen on the 19th of every month.
The worm code contains several text strings, including:
fOREsKIN sElf rEPlIcAToR vERSION 1.07c final CHAoS
(C) 2000 EMD LABS INC rAndOm dEvIStAtOr
nOt pErFECt, bUt iT sERvES iTS pUrPosE....bAtCh fIlE pROgRAMmINg
The FBI discovered one variant of this worm during a 'recent and breaking' case.
"This is a serious denial-of-service attack against the 911 emergency system," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The only bright side to the situation is that this worm is unlikely to cause damage outside North America". The ISPs the worm is attacking operate mainly in the USA, and 911 is used as an emergency number primarily in North America.
"The maliciousness or irresponsibility of the writer or writers of this worm is astounding," commented Allan Dyer, Technical Director of Yui Kee Co. Ltd. "We are fortunate that it is unlikely to affect us in Hong Kong, both because of the ISPs targeted and the emergency number used."
Infected systems can easily be spotted by checking whether the "C:\Program Files" folder contains a new hidden folder called either "Chode", "Foreskin" or "Dickhair". To see hidden folders with Windows Explorer, turn on the "Show all files" setting from Explorer options.