BAT.Chode Worm

Foreskin

W95/Firkin.worm

Using a network connection to internet ??

Read this

BAT.Chode.Worm
Detected as:        BAT.Chode  Worm
Aliases:               Chode, Foreskin, BAT911
Infection Length:  Multiple batch files
Area of Infection: Shared drive
Trigger Dates:     19th of the month
Characteristics:    Batch file worm

Description
BAT.Chode.Worm is an internet-worm that uses BAT files. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has its C drive shared, it will copy its files into the other computer.

Technical description
BAT.Chode.
Worm uses multiple BAT files, with an accompanying VBScript (.VBS),  and some system programs to spread itself through an internet connection. It searches through a range of IP addresses of known ISPs to find an accessible computer.
If an accessible computer has a shared drive that is not password protected, the worm checks for the presence of the file C:\WINDOWS\WIN.COM.
If such file presents, it assumes the shared drive is the C drive of the other computer.
It will then copy its files into the other computer's C:\PROGRA~1\CHODE directory.

It creates subdirectories called
C:\progra~1\chode,
C:\progra~1\foreskin
and C:\progra~1\dickhair.

Note that these subdirectories are created with the "hidden" attribute, so if you want to see if they exist on your system you must configure the "Find" command to show hidden directories.
Under the Windows Explorer menu choose View/Options and make sure "Show All Files" is selected.

The main batch file assumes it is running from C:\PROGRA~1\CHODE directory. When launched, it searches for an accessible subnet on several ISPs:

• att.net (ATT Worldnet)
• bellsouth.net (BellSouth Net)
• level3.net (Level3 Net)
• aol.com (America Online)
• mindspring.com (Mindspring)
• earthlink.net (Earthlink)
• air.on.ca (Air.Internet in Canada)
• psi.net (PSInet)

Note: Connecting to one of these ISPs does not make your computer vulnerable to this worm. Your computer is vulnerable to this worm (and other intrusions) if your computer's shared resources are not properly protected. This worm can only spread to a computer that has a shared drive without password protection for write-access.

It attempts to access computers within the subnets of various IP addresses.  Once the worm finds an accessible subnet, it will search for an accessible shared drive. If there is no accessible shared drive in the subnet, it will repeat the subnet search above.

Once the worm finds an accessible shared drive, it will do a quick test to see if the drive is the C drive. If it is the C drive, it will map the shared drive.
After mapping the drive, it makes sure that it hasn't infected this mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Then, it verifies the writability of the drive, and proceeds to copy its files to the other computer.

While copying its files to the other computer, it adds the following:

• there is a 3 in 7 chance that the virus will alter a remote machine's AUTOEXEC.BAT file.
  When run on the remote machine the altered AUTOEXEC.BAT will attempts to unconditionally format the J, I, H, G, F, E and D: hard drives.
  The code then displays the message
  
  You have been sLamMeD By fOREsKIN
  mOThERfUCKER
  
  before attempting to unconditionally format the C: drive.
• a call to a batch file that dials 911 using the computer modem into the C:\AUTOEXEC.BAT.
  This modification is done 4 out of 7 times.
  The virus randomly chooses to attempt this via the COM1, COM2, COM3 or COM4 port.
• ashield.pif into the Program-StartUp of the infected machine. This PIF file hides the worm when it is launched, runs hide.bat
• mstum.pif runs mstum.bat, which is the actual worm process which runs in the background.
  The first thing mstum.bat does is pause 10 seconds before doing anything.
  Then mstum.bat runs final.bat, which randomly selects a subnet to scan.
• MSTUM.BAT then calls ADD.BAT, which contains the routines for stepping through IP addresses on the subnet.
  The ADD.BAT also tries to run the file CHAOS.BAT.
• netstat.pif into the Program-StartUp of the infected machine. This PIF file hides the netstat utility that it uses.
• winsock.vbs into the Program-StartUp of the infected machine. This VBS carries its payload.
• Log the infection in the file C:\PROGRAM FILES\chode\chode.txt of the source computer.

The worm also uses a freeware utility to hide its activity. The freeware utility is a win32 program that the worm names ASHIELD.EXE. NAV will not detect this utility.

Payload

The WINSOCK.VBS is lauched when Windows starts on an infected computer.
On the 19th of the month, this VBS script deletes all files from the following directories:

• C:\windows
• C:\windows\system
• C:\windows\command
• C:\

Then, it displays two message boxes:

You Have Been Infected By Chode
You may now turn this piece of sh*t off!


Repair Notes

• Delete the C:\Program Files\Chode directory.
• Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF
• Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF
• Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS

Write-up by: Raul K. Elnitiarta and info at SOPHOS and McAfee
Updated: April 1, 2000   No joke

Personal I think you can remove this better with a virus scanner.

More information at McAfee

Download this full trial version from AVP (Anti Virus Protection), see at Trial Versions
Anti Virus Experts: Your First, Last, and Only Line of Defense

---

You're not alone.

W32.CIH.Spacefiller | BAT.Chode worm
Internet Explorer | email | Backdoors | PC | Macro Warning | Virus Warning

HomePage | Overview Pages
Calpe-Spain | Entertainment | Favorite | Hockey | Reefaquarium | Virus