Self-diagnosed victims of the 911 Worm Thursday credited the FBI with
protecting their hard disks from possible disaster. But others question
whether the incident which began April Fools’ Day is just the latest example
of Internet-induced virus hysteria.
“If it wasn’t for list warnings, I wouldn’t have caught it on time, and it
would have detonated and wiped out my whole database and contacts,” said
Howard Gleichman, a paramedic in Fort Lauderdale, Florida, who said he
discovered the worm on his hard drive Sunday after reading about it on an
e-mail list for emergency management personnel. Gleichman said he
subsequently forwarded the alert to more than 100 other people.
The FBI’s advisory
warned that the 911 Worm, also known as Chode or Firkin, could
delete the contents of a victim’s hard drive, and use the computer’s modem
to place calls to 911 emergency lines. The FBI said the worm infects Windows
95/98 PCs connected to the Internet and which have had Windows file or print
sharing enabled.
Sources said the FBI believes the worm was originally propagated by an
individual in the Houston, Texas area, but FBI officials declined to provide
more details because of the ongoing nature of the investigation.
While InternetNews has received half a dozen reports from users claiming to
be infected by the worm, none of the incidents involved data destruction.
“That’s the whole point of early intervention. Who knows what would have
happened if we hadn’t reacted as aggressively as we had,” said Stephen
Northcutt, director of the Global Incident Analysis Center operated by the
SANS Institute, which distributed a
detailed warning about the
worm Sunday in response to the FBI advisory. According to Northcutt, GIAC
has subsequently received “a dozen or so” reports of the 911 Worm.
The SANS warning helped set off a wave of postings to lists and message
boards, as users feverishly followed its admonition to get the word out.
Northcutt admitted Thursday that the 911 Worm is not nearly as widespread as
the notorious Melissa virus outbreak, but he said the FBI did the right
thing by getting the word out.
“If they had knowledge of it and they hadn’t told us, everyone would have
wanted to smack them. The good news is, it was terribly educational and lots
of people checked their shares and turned them off because they had no good
reason for having it,” said Northcutt.
But some anti-virus software vendors and security experts were quick to
downplay the risk. Representatives of McAfee Associates and Firsk Software
International noted earlier this week that the worm by design would be
difficult to spread, and were critical of the FBI for needlessly creating
panic. In an incident note on the 911 Worm
released Tuesday, the Computer Emergency
Response Team at Carnegie Mellon University said it received no direct
reports of systems infected with this worm.
Ellen Rudd, a visiting Lecturer in the Department of Computer Technology at
Purdue University’s School of Engineering and Technology, said the FBI alert
and the subsequent response by users were appropriate.
“I came home Sunday, logged on to my email, and it was full of messages
about this virus. I immediately went into Find and typed in Chode, and it
came up that it was on my computer,” said Rudd, who first heard about the
worm Sunday from a genealogy mailing list operated by Rootsweb.
“If it weren’t for those warning messages, I wouldn’t have had a clue to
look for it,” she said.
The experience of sev
eral self-proclaimed victims, however, suggests that
some reports of infection are false alarms.
JoAnne Ringer, an America Online subscriber and owner of a secretarial
service in Austin Texas, said she followed the directions for diagnosing the
worm provided in the SANS alert. According to Ringer, she searched on the
word Chode using the Windows Find-Files command and was shocked to find her
system contained two files with the name, which she quickly deleted. Later,
Ringer realized that the files were merely HTML files that had been stored
in her Internet cache during an earlier visit to the Symantec site to read up on the worm.
“Boy, is my face red. I thought because I’m in Texas and hooked up to AOL
that it was
likely that I’d be a victim. So much for being paranoid,” said Ringer.