BAT911.Worm

Printer Friendly Page

Discovered: March 31, 2000
Updated: February 13, 2007 11:51:02 AM
Also Known As: BAT.Chode.Worm, Chode, Foreskin, BAT911, 911 Worm, W95.Firkin, Worm.Firkin, BAT/Firkin.Worm
Type: Worm
Systems Affected: Windows


BAT911.Worm is an Internet worm that uses .bat files. It searches through a range of Internet Protocol (IP) addresses of known Internet Service Providers (ISPs) to find an accessible computer. If an accessible computer shares its drive C and it is not password protected, then the virus copies its files to drive C of that computer.

Antivirus Protection Dates

  • Initial Rapid Release version April 01, 2000
  • Latest Rapid Release version April 01, 2000
  • Initial Daily Certified version October 31, 2007 revision 003
  • Latest Daily Certified version June 17, 2008 revision 017
  • Initial Weekly Certified release date April 01, 2000

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Raul Elnitiarta

Discovered: March 31, 2000
Updated: February 13, 2007 11:51:02 AM
Also Known As: BAT.Chode.Worm, Chode, Foreskin, BAT911, 911 Worm, W95.Firkin, Worm.Firkin, BAT/Firkin.Worm
Type: Worm
Systems Affected: Windows


BAT911.Worm uses multiple .bat files and some system programs to spread itself through an Internet connection. When it locates an accessible computer, the worm checks for the presence of the C:\Windows\Win.com file. If it finds Win.com, then the worm assumes that drive C is shared. It then creates the C:\Program~1\Chode (C:\Program Files\Chode) folder and copies its files to that folder.

The main batch file runs from C:\Program~1\Chode folder. When launched, it searches for an accessible subnet on several ISPs:

  • Att.net (ATT Worldnet)
  • Bellsouth.net (BellSouth Net)
  • Level3.net (Level3 Net)
  • Aol.com (America Online)
  • Mindspring.com (Mindspring)
  • Earthlink.net (Earthlink)
  • Air.on.ca (Air.Internet in Canada)
  • Psi.net (PSInet)

NOTE: Connecting to one of these ISPs does not make your computer vulnerable to this worm. Your computer is vulnerable to this worm (and other intrusions) if your computer's shared resources are not properly protected. This worm can only spread to a computer that has a shared drive without password protection for write-access.

Once the worm finds an accessible subnet, it will search for an accessible shared drive. If there is no accessible shared drive in the subnet, it will repeat the subnet search.

Once the worm finds an accessible shared drive, it checks to see whether the drive is drive C. If so, it maps the shared drive. After mapping the drive, it makes sure that it has not already infected the mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Next, it verifies the writability of the drive, and copies its files to the other computer.

While copying its files to the other computer, it does the following:
  1. It adds a line to the Autoexec.bat file that starts a second .bat file when the computer is restarted. This second .bat file uses the computer's modem to dial 911. This modification is done one out of five times.
  2. It adds Ashield.pif to the StartUp folder. This .pif file hides the worm when it is launched.
  3. It adds Netstat.pif to the StartUp folder. This .pif file hides the Netstat utility that it uses.
  4. It adds Winsock.vbs to the StartUp folder. This .vbs file carries the payload.
  5. It logs the infection in the C:\Program Files \Chode\Chode.txt file of the source computer.

The worm also uses a freeware utility to hide its activity. The freeware utility is a Win32 program, which the worm has named Ashield.exe. Norton AntiVirus will not detect this utility.

Payload
Winsock.vbs is launched when Windows starts on an infected computer. On the 19th of the month this .vbs script deletes files from the following folders:
C:\
C:\Windows
C:\Windows\System
C:\Windows\Command

After deleting the files, it displays the following messages:

You Have Been Infected By Chode
You may now turn this piece of sh*t off!

NOTE: Several slight variants of this message have been reported.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Raul Elnitiarta

Discovered: March 31, 2000
Updated: February 13, 2007 11:51:02 AM
Also Known As: BAT.Chode.Worm, Chode, Foreskin, BAT911, 911 Worm, W95.Firkin, Worm.Firkin, BAT/Firkin.Worm
Type: Worm
Systems Affected: Windows


To remove BAT911.Worm from a computer that is already infected, please follow these steps:

CAUTION: The following instructions have you delete a folder and three files from your computer. Make sure that you select and delete only the folder and files that are specified.

  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Using Windows Explorer, delete the following folder:

    C:\Program Files\Chode
  3. Delete the following files:

    C:\WINDOWS\Start Menu\Programs\StartUp\Ashield.pif
    C:\WINDOWS\Start Menu\Programs\StartUp\Netstat.pif
    C:\WINDOWS\Start Menu\Programs\StartUp\Winsock.vbs
  4. Run a full system scan.


Writeup By: Raul Elnitiarta