BAT.Chode.Worm
Detected as: BAT.Chode.Worm
Aliases: Chode, Foreskin, BAT911
Infection Length: Multiple batch files
Area of Infection: Shared drive
Trigger Dates: 19th of the month
Characteristics: Worm, Batch
Norton AntiVirus users can protect themselves from this
virus by downloading the current virus definitions
either through LiveUpdate or from the Download Virus
Definition Updates page.
Description
BAT.Chode.Worm is an internet-worm that uses BAT files.
It searches through a range of IP addresses of known
ISPs to find an accessible computer. If an accessible
computer has its C drive shared, it will copy its files
into the other computer.
Technical Description
BAT.Chode.Worm uses multiple BAT files and some system
programs to spread itself through an internet connection. It searches through a
range of IP addresses of known ISPs to find an accessible computer. If an
accessible computer has a shared drive that is not password protected, the worm
checks for the presence of the file C:\WINDOWS\WIN.COM. If such file presents,
it assumes the shared drive is the C drive of the other computer. It will then
copy its files into the other computer's C:\PROGRA~1\CHODE directory.
The main batch file assumes it is running from
C:\PROGRA~1\CHODE directory. When launched, it searches for an accessible
subnet on several ISPs:
att.net (ATT Worldnet)
bellsouth.net (BellSouth Net)
level3.net (Level3 Net)
aol.com (America Online)
mindspring.com (Mindspring)
earthlink.net (Earthlink)
air.on.ca (Air.Internet in Canada)
psi.net (PSInet)
Note: Connecting to one of these ISPs does not make your
computer vulnerable to this worm. Your computer is vulnerable to this worm (and
other intrusions) if your computer's shared resources are not properly
protected. This worm can only spread to a computer that has a shared drive
without password protection for write-access.
Once the worm finds an accessible subnet, it will search
for an accessible shared drive. If there is no accessible shared drive in the
subnet, it will repeat the subnet search above.
Once the worm finds an accessible shared drive, it will
do a quick test to see if the drive is the C drive. If it is the C drive, it
will map the shared drive.
After mapping the drive, it makes sure that it hasn't
infected this mapped drive. While performing the check, it also searches and
removes VBS.Network, a worm that uses VBS script. Then, it verifies the
writability of the drive, and proceeds to copy its files to the other computer.
While copying its files to the other computer, it adds
the following:
a call to a batch file that dials 911 using the computer
modem into the C:\AUTOEXEC.BAT. This modification is done one out of five
times.
ashield.pif into the Program-StartUp of the infected
machine. This PIF file hides the worm when it is launched.
netstat.pif into the Program-StartUp of the infected
machine. This PIF file hides the netstat utility that it uses.
winsock.vbs into the Program-StartUp of the infected
machine. This VBS carries its payload.
Log the infection in the file C:\PROGRAM
FILES\chode\chode.txt of the source computer.
The worm also uses a freeware utility to hide its
activity. The freeware utility is a win32 program that the worm names ASHIELD.EXE.
NAV will not detect this utility.
Payload
The WINSOCK.VBS is lauched when Windows starts on an
infected computer. On the 19th of the month, this VBS script deletes files from
the following directories:
C:\windows
C:\windows\system
C:\windows\command
C:\
Then, it displays two message boxes:
You Have Been Infected By Chode
You may now turn this piece of sh*t off!
Repair Notes
Delete the C:\Program Files\Chode directory.
Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF
Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF
Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS