An advisory from the FBI’s National Infrastructure Protection Center issued
April Fool’s day set off hoax alarms across the Internet. But while
anti-virus software vendors Monday confirmed that the 911 Worm is the real
thing, some are puzzled by the FBI’s advisory and are openly questioning the
severity of the worm.
Typed in all capital letters and displayed at the FBI Web site, the advisory warned of a new
Internet worm that looks for Windows 95/98 systems that have file and print
sharing enabled. After infection, the worm erases the contents of the
victim’s hard drive and then automatically uses the computer’s modem to dial
up 911 emergency systems.
Vesselin Bontchev, a researcher with Frisk
Software, developers of the F-PROT anti-virus software package, said
Frisk and other anti-virus vendors have not seen the 911 Worm in the wild.
“Because of the alarmist language of the warning, customers are calling us
and over-heating our tech support lines. The warning wasn’t thought out well
and is raising panic. The panic will cause more damage than the actual
virus,” said Bontchev, who noted that previous viruses have dialed 911 or
deleted data and haven’t merited FBI warnings.
Frisk considers the 911 Worm a low risk because it has little chance of
rapid spread and is implemented primarily by DOS batch files, according to
Bontchev. That also was the assessment by the International Computer
Security Association, which put out an advisory on
the worm Monday.
“We think the risk of getting nailed by this particular thing is
pretty low, but the concept of the threat represents something important.
People should either turn off sharing, or at least modify it to include
passwords,” said Roger Thompson, a malicious code expert with ICSA, in an
e-mail to InternetNews.
In an e-mail to InternetNews, Jimmy Kuo, director of anti-virus research for
NAI, revealed that one of the company’s customers reported the worm last
week, and NAI quickly added detection for it to VirusScan. But Kuo said the
anti-virus vendor is puzzled by the FBI’s reaction. “Our position is that we
don’t understand why they did their press release. April 1, no less,” said
Debra Weierman, a spokesperson for the NIPC, declined to provide more
details about the worm, saying the Bureau is involved in an ongoing
However, the Sans
Institute, a cooperative of security professionals and system
administrators, Monday released an updated bulletin saying that victims in Houston and San Francisco have reported having their hard drives wiped out
by the worm.
According to Allen Paller, Sans research director, “This isn’t a toy.
Blaming other people for getting the word out seems a silly thing to do.”