Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2008 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

BAT911.Worm

Category 2

BAT911.Worm is an Internet worm that uses .bat files. It searches through a range of Internet Protocol (IP) addresses of known Internet Service Providers (ISPs) to find an accessible computer. If an accessible computer shares its drive C and it is not password protected, then the virus copies its files to drive C of that computer.

Also Known As: BAT.Chode.Worm, Chode, Foreskin, BAT911, 911 Worm, W95.Firkin, Worm.Firkin, BAT/Firkin.Worm
Type: Worm
Infection Length: Several batch files and .pif files
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

protection
  • Virus Definitions (LiveUpdate™ Weekly)

    • April 01, 2000

  • Virus Definitions (Intelligent Updater)

    • April 01, 2000

    threat assessment

    Wild

    Threat Metrics
    Low High Medium

    Wild:
    Low

    Damage:
    High

    Distribution:
    Medium

    Damage

    • Payload Trigger: 19th of the month
    • Payload: Winsock.vbs is launched when Windows starts on an infected computer. On the 19th of the month, this VBS script deletes files from the following directfolders: C:\windows C:\windows\system C:\windows\command C:\ Then, it displays two messages: "You Have Been Infected By Chode" "You may now turn this piece of sh*t off!"

    Distribution

    • Shared drives: Copy its files onto unprotected shared drive
    • Target of infection: Windows 9x system with unprotected shared drive that connects to certain ISPs

    technical details

    BAT911.Worm uses multiple .bat files and some system programs to spread itself through an Internet connection. When it locates an accessible computer, the worm checks for the presence of the C:\Windows\Win.com file. If it finds Win.com, then the worm assumes that drive C is shared. It then creates the C:\Program~1\Chode (C:\Program Files\Chode) folder and copies its files to that folder.

    The main batch file runs from C:\Program~1\Chode folder. When launched, it searches for an accessible subnet on several ISPs:

    • Att.net (ATT Worldnet)
    • Bellsouth.net (BellSouth Net)
    • Level3.net (Level3 Net)
    • Aol.com (America Online)
    • Mindspring.com (Mindspring)
    • Earthlink.net (Earthlink)
    • Air.on.ca (Air.Internet in Canada)
    • Psi.net (PSInet)

    NOTE: Connecting to one of these ISPs does not make your computer vulnerable to this worm. Your computer is vulnerable to this worm (and other intrusions) if your computer's shared resources are not properly protected. This worm can only spread to a computer that has a shared drive without password protection for write-access.

    Once the worm finds an accessible subnet, it will search for an accessible shared drive. If there is no accessible shared drive in the subnet, it will repeat the subnet search.

    Once the worm finds an accessible shared drive, it checks to see whether the drive is drive C. If so, it maps the shared drive. After mapping the drive, it makes sure that it has not already infected the mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Next, it verifies the writability of the drive, and copies its files to the other computer.

    While copying its files to the other computer, it does the following:
    1. It adds a line to the Autoexec.bat file that starts a second .bat file when the computer is restarted. This second .bat file uses the computer's modem to dial 911. This modification is done one out of five times.
    2. It adds Ashield.pif to the StartUp folder. This .pif file hides the worm when it is launched.
    3. It adds Netstat.pif to the StartUp folder. This .pif file hides the Netstat utility that it uses.
    4. It adds Winsock.vbs to the StartUp folder. This .vbs file carries the payload.
    5. It logs the infection in the C:\Program Files \Chode\Chode.txt file of the source computer.

    The worm also uses a freeware utility to hide its activity. The freeware utility is a Win32 program, which the worm has named Ashield.exe. Norton AntiVirus will not detect this utility.

    Payload
    Winsock.vbs is launched when Windows starts on an infected computer. On the 19th of the month this .vbs script deletes files from the following folders:
    C:\
    C:\Windows
    C:\Windows\System
    C:\Windows\Command

    After deleting the files, it displays the following messages:

    You Have Been Infected By Chode
    You may now turn this piece of sh*t off!

    NOTE: Several slight variants of this message have been reported.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    To remove BAT911.Worm from a computer that is already infected, please follow these steps:

    CAUTION: The following instructions have you delete a folder and three files from your computer. Make sure that you select and delete only the folder and files that are specified.

    1. Run LiveUpdate to make sure that you have the most recent virus definitions.
    2. Using Windows Explorer, delete the following folder:

      C:\Program Files\Chode
    3. Delete the following files:

      C:\WINDOWS\Start Menu\Programs\StartUp\Ashield.pif
      C:\WINDOWS\Start Menu\Programs\StartUp\Netstat.pif
      C:\WINDOWS\Start Menu\Programs\StartUp\Winsock.vbs
    4. Run a full system scan.


    Write-up by: Raul Elnitiarta