RealTime IT News

No Hoax, But Did FBI Hype the 911 Worm?

An advisory from the FBI's National Infrastructure Protection Center issued April Fool's day set off hoax alarms across the Internet. But while anti-virus software vendors Monday confirmed that the 911 Worm is the real thing, some are puzzled by the FBI's advisory and are openly questioning the severity of the worm.

Typed in all capital letters and displayed at the FBI Web site, the advisory warned of a new Internet worm that looks for Windows 95/98 systems that have file and print sharing enabled. After infection, the worm erases the contents of the victim's hard drive and then automatically uses the computer's modem to dial up 911 emergency systems.

Vesselin Bontchev, a researcher with Frisk Software, developers of the F-PROT anti-virus software package, said Frisk and other anti-virus vendors have not seen the 911 Worm in the wild.

"Because of the alarmist language of the warning, customers are calling us and over-heating our tech support lines. The warning wasn't thought out well and is raising panic. The panic will cause more damage than the actual virus," said Bontchev, who noted that previous viruses have dialed 911 or deleted data and haven't merited FBI warnings.

Frisk considers the 911 Worm a low risk because it has little chance of rapid spread and is implemented primarily by DOS batch files, according to Bontchev. That also was the assessment by the International Computer Security Association, which put out an advisory on the worm Monday.

"We think the risk of getting nailed by this particular thing is pretty low, but the concept of the threat represents something important. People should either turn off sharing, or at least modify it to include passwords," said Roger Thompson, a malicious code expert with ICSA, in an e-mail to InternetNews.

Network Associates, developers of the popular VirusScan product, have categorized as "low risk" what they are terming the W95/Firkin.worm.

In an e-mail to InternetNews, Jimmy Kuo, director of anti-virus research for NAI, revealed that one of the company's customers reported the worm last week, and NAI quickly added detection for it to VirusScan. But Kuo said the anti-virus vendor is puzzled by the FBI's reaction. "Our position is that we don't understand why they did their press release. April 1, no less," said Kuo.

Debra Weierman, a spokesperson for the NIPC, declined to provide more details about the worm, saying the Bureau is involved in an ongoing investigation.

However, the Sans Institute, a cooperative of security professionals and system administrators, Monday released an updated bulletin saying that victims in Houston and San Francisco have reported having their hard drives wiped out by the worm.

According to Allen Paller, Sans research director, "This isn't a toy. Blaming other people for getting the word out seems a silly thing to do."