BAT/Firkin.A, B and C.Worm
| BAT/Firkin.A, B and C.Worm |
Destructivity:  Spreading:  Overall risk: 
|
| • Detected by virus detection files published: 4/2/2000 | • Type: Worm |
| • Virus characteristics first published: 4/2/2000 | • Spreading mechanism: Network |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
Firkin spreads by copying itself to drives that are shared out and accessible for the world. Similar to the VBS/Netlog.Worm, it attempts to connect to random IP addresses, and if the connect is successful, it maps up the remote drives and copies itself to the remote disk, on a hidden directory either named c:\progra~1\foreskin, c:\progra~1\chode, or c:\progra~1\dickhair, depending of version. It also copies a couple of *.PIF files to the startup directories on the remote disk in order to start the worm on next bootup. While doing this, it also checks for the presence of earlier versions of itself, or the VBS/Netlog worm, and removes them. Firkin targets specific IP addresses and ISPs. The A&B variants looks at the following subnets: 17.73.*.*, 165.*.*.*, 171.*.*.*, 199.*.*.*, 200.*.*.*, 205.*.*.*, 206.*.*.*, 208.*.*.*, 209.*.*.*, 216.*.*.* . The C variant looks more specifically to attack several big ISPs: 17.73.*.* (AT&T Worldnet) 216.77.*.* , 216.78.*.* (BELLSouth) 209.244.*.*, 209.245.*.* (Level3) 171.222.*.* (America Online) 165.247.*.* (MindSpring) 209.179.*.* (EarthLink) 30.31.*.* (?) 206.186.*.* (Airnet Canada) 154.5.*.* (Psi Net Canada) |
||||||||||||||