"911" Virus Warning - U-M Virus Busters

The 911 Virus/Worm Warning Is Overstated

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

Last significant update: 03 April 2000

This information can be freely reproduced in any medium, as long as the information is unmodified.

We recently became aware of a worm that attempt to propagate itself to other networked computers that allow file sharing. It also has several nasty payloads -- at startup, it will (based on a random number it generates) delete files on the local computer, and -- more insidious -- try to dial 911 which, of course, could jam the emergency phone system in the U.S.

Now this is certainly a slimy thing to do -- not that this comes as any surprise, since virus writers/distributors are lowlife characters or, if they are not yet mentally developed enough, at least not able to judge the consequences of their ill-considered actions.

This particular worm, however, is not judged to be a significant threat. Network Associates, (NAI) the first antivirus company (I think; they found it on 22 March 2000) to make a write-up on the worm (leaving our site) judges the threat to be "low", which means, according to NAI:

"A virus that has not been reported in the wild and is considered unlikely to be found in the wild in the future has a low risk. Even if such a virus includes a Very Serious or Unforeseeable Damage payload, its risk is still low."

I agree with NAI's assessment that this is a low risk item.

That said, however, this thing HAS been sighted "In The Wild" and, unfortunately, has been given a publicity boost we believe it does not merit, courtesy of the National Infrastructure Protection Center (NIPC). Below is the text of the first query we received about this:


On Sun, 2 Apr 2000, [snip] wrote:

> According to recent email, "it has been verified by the NIPC and FBI"
> there's a "malicious 911 virus"

There is such a thing, yes.


> that wipes out hard drives.

That's a bit of an overstatement, though it does zap some files sometimes. The nasty thing about it is that it may flood 911 with bogus calls.


> I found nothing about it on your site

Well, that's for several reasons:

We generally don't try to document viruses -- with over 50,000 of them, we leave it to the antivirus companies.
In the rare event that we do document something, it has to be a real threat. Betcha this one doesn't hit many folks at all.
[snip]
This one is, uhhh, a wee bit new. We do have other things to do over the weekend, contrary to popular belief. ;-)


> which is first place I check.

We are honored, sir!


> NIPC message is posted at http://www.nipc.gov/nipc/advis00-038.htm.

In <ALL CAPS>, no less. [You'd think that by now, the government would have bought a few PCs that have upper and lower case, and not be using all those old Hazeltines and EBCDIC computers....]

On further reflection (that means "more careful observation"), I see that the NIPC memo has some lower case letters in it after all. SO WHY WERE THEY SHOUTING? Someone at NIPC needs to learn a bit about Netiquette.

I'm not giving the NIPC page any legitimacy by making a link to it here; if you want to see what it says, copy the URL above into your browser and see for yourself.

Two comments, though:

The NIPC does state that this is limited to the Houston, Texas area, which is a Good Thing to say -- but then, I submit that it doesn't merit such a prominent position on their web site.
It appears that the FBI is investigating which, if they do it right, is a Very Good Thing: if law enforcement were able to devote more resources to computer crimes, then we might not have over 50,000 computer viruses, Trojans, worms, and other malware floating about out there.
Here is my vote that they should continue this thrust against the Computer Black Hats, and I wish them at least as much success as they had against the writer of the Melissa virus.

That's my assessment, though the Gummint men may knock on my door soon, I suppose, to educate me.

 
> Thanks for your site!

Thanks for your kind words.

-BP "Figure I'll be out in no more than 20 years" B

Please do not forward this to all your friends. Instead:

Leave it to security professionals -- preferably antivirus ones -- to decide that is really a risk to you in your environment.
Let those same professionals be the ones to email their colleagues at other institutions, letting those other professionals know whether they deem it a real threat or not worth of general broadcasting -- and thereby creating the paranoia that comes with such general alerts.
DO feel free to seek out more information, by contacting your local security professional(s), or antivirus vendor web sites, or independents like us if you trust what they have to say. [YOU must decide who is trustworthy and who is not: don't let anyone decide for you!]
If you happen to trust us, then feel free to point anyone who sends an alert you to about this (unless it is from the aforementioned security professional) to our URL: <http://www.umich.edu/~virus-busters/911.html>.

By the way: if you'd like more information about this particular nuisance, see e.g., F-Secure's writeup (leaving our site) or SOPHOS' writeup (leaving our site) -- both are descriptive and lacking hype, and they corroborate NAI's "low risk" assessment.

Finally, note that because of all the brouhaha, antivirus vendors will be forced to have product updates ready to handle this, even though its threat level is low. NAI, F-Secure, and SOPHOS have already done this, as I'm sure have many other vendors. Those that have not will very soon, though that may mean that the processing of more dangerous viruses is postponed.

-BPB

Last updated: Wednesday, 02-Jan-2002 14:03:42 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 03 April 2000 13:19 EDT