An Internet worm is on the loose that assumes control of a system’s modem, dials 911, and deletes files from multiple vital directories. The virus also uses multiple BAT files and system programs to propagate across an Internet connection, according to Symantec’s AntiVirus Research Center.

BAT.Chode.Worm, which also places directories named chode, foreskin, or dickhair on infected systems, searches a range of IP addresses to find computers with shared C: drives. If shared C: drives are found on another system, the virus copies itself to that system.

Apparently, the virus originated in the Houston area. It has already destroyed data on infected systems, according to Sunbelt Software’sW2Knews report .

When the worm is launched, it searches for accessible subnets from several well-known ISPs, including AT&T, BellSouth, Level(3), America Online, EarthLink, and PSInet.

The worm makes several changes to a system:

  • It places a call to a batch file in the AUTOEXEC.BAT file that dials 911.
  • It places ASHIELD.PIF in the Program-StartUp of the infected machine in order to hide itself when it launches itself.
  • It places NETSTAT.PIF in the same location to hide the NETSTAT program it triggers.
  • It places WINSOCK.VBS in the same location as ASHIELD.PIF.

The actual infection is logged to C:\PROGRAM FILES\chode\chode.txt.

WINSOCK.VBS is the payload file. It waits until the 19th of the month to delete C:\WINDOWS, C:\WINDOWS\SYSTEM, C:\WINDOWS\COMMAND, and C:\ files.

The Symantec AntiVirus Research Center has directions for removing the worm from infected machines. Click here to visit Symantec’s site and find more information on this potentially devastating virus.

Have a comment?

If you’d like to share your opinion, please post a comment below or send the editor an e-mail.