Name: Worm.Firkin. Category: Viruses Description: Details Worm.Firkin.a These are virus-worms that spread via a local network. They appeared at the end of March - beginning of April 2000. They are also known as the "911 virus" because of a payload routine and mass-media attention caused by public announcments made at the beginning of April 2000. They are written in DOS Batch language (BAT files) and use DOS box commands and a few external utilities only to realize Internet infection. They are multi-component worms - the worm itself is not just a single file, but a set of DOS batch files, PIF files (program information file) and some additional files. On infected machines, the worm installs a component (a PIF file) to a Windows startup folder ("Start MenuProgramsStartup"). When Windows is booting up, this PIF file activates the main worm component - a routine in worm's main BAT component. This routine initiates a random counter, IP addresses counter, hides its window (DOS box window) with the help of an additional utility, and goes to the loop with counts a large number of IP addresses and pings (tries to resolve) all of them. This is a time-consuming task, of course, but it is processed in the background, and as a result, it is not visible to a user. When an IP address is resolved, the worm enumerates all shared resources on a PC associated with that address. If there are drives shared for full access (reading and writing), the worm looks for the Windows directory on the drive, and installs itself to there in when a subdirectory exists. The worm creates a new folder in the "Program files" directory, copies its files set to there, and adds PIF files to a Windows start-up folder to be activated on an infected machine upon the next start-up. The worm is able to spread itself only in cases when Windows is installed in the directory with exactly the name: C:WINDOWS. In case this directory name is different or Windows is installed on another drive, the worm fails to spread itself. The worm has extremely dangerous payload routines. Depending on its random counter, the worm either formats hard drives or dials "911". Variants There are several variants known, and all of them operate the same way as described above with some minor differences: Worm directory: "Firkin.a,b": C:PROGRA~1FORESKIN (C:Program FilesFORESKIN") "Firkin.c": C:PROGRA~1CHODE (C:Program FilesCHODE") Most important files in there: "Firkin.a": A,B,C,D,E,F,G,H,I,J,ADD,FINAL,HIDE,SLAM - all are ".BAT" ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window MSTUM.BAT, MSTUM.PIF - main worm BAT and PIF files "Firkin.b": A,B,C,D,E,F,G,H,I,J,ADD,ZULU,HIDE,SLAM - all are ".BAT" ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window MSTUM.BAT, MSTUM.PIF - main worm BAT and PIF files "Firkin.c": ADD, RANDOM - additional ".BAT" files ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window CHODE.BAT, NETSTAT.PIF - main worm BAT and PIF files PIF files are also copied to the Windows start-up directory.