Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » BAT/Firkin.A, B and C.Worm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 01 Apr 2000 02:00:00
Description created 01 Apr 2000 02:00:00
Description updated 08 Nov 2001 02:22:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

BAT/Firkin.A, B and C.Worm

Spreading

Firkin spreads by copying itself to drives that are shared out and accessible for the world. Similar to the VBS/Netlog.Worm, it attempts to connect to random IP addresses, and if the connect is successful, it maps up the remote drives and copies itself to the remote disk, on a hidden directory either named c:\progra~1\foreskin, c:\progra~1\chode, or c:\progra~1\dickhair, depending of version.

It also copies a couple of *.PIF files to the startup directories on the remote disk in order to start the worm on next bootup.

While doing this, it also checks for the presence of earlier versions of itself, or the VBS/Netlog worm, and removes them.

Firkin targets specific IP addresses and ISP’s.

The A&B variants looks at the following subnets: 17.73.*.*, 165.*.*.*, 171.*.*.*, 199.*.*.*, 200.*.*.*, 205.*.*.*, 206.*.*.*, 208.*.*.*, 209.*.*.*, 216.*.*.* .

The C variant looks more specifically to attack several big ISP’s:
17.73.*.* (AT&T Worldnet)
216.77.*.* , 216.78.*.* (BELLSouth)
209.244.*.*, 209.245.*.* (Level3)
171.222.*.* (America Online)
165.247.*.* (MindSpring)
209.179.*.* (EarthLink)
30.31.*.* (?)
206.186.*.* (Airnet Canada)
154.5.*.* (Psi Net Canada)
 

Payload Details

Firkin has a set of dangerous payloads. Most of these are added as batch commands to the AUTOEXEC.BAT file on the remote drive while Firkin is infecting. The payloads are not always added; this is controlled by a random function.

They are somewhat different between the A, B and C variants:
A variant:1/6 probability: dials 911 (tries COM1-COM4)
3/6 probability: does nothing
2/6 probability: formats drives H, G, F, E, D, C and prints:
"You have been sLamMeD By fOREsKIN mOThERfUCKER"B variant:1/7 probability: dials 911 on COM1
1/7 probability: dials 911 on COM2
1/7 probability: dials 911 on COM3
1/7 probability: dials 911 on COM4
3/7 probability: formats drives H, G, F, E, D, C and prints:
"You have been sLamMeD By fOREsKIN mOThERfUCKER"C variant:4/7 probability: dials 911 (tries COM1-COM4)
2/7 probability: does nothing
1/7 probability: formats drives H, G, F, E, D, C and prints:
"tHE cHOdE gOTcHA yOu sTUpID mOThER fUCKeR!!!!!!!!!!!!!!"On startup this version will also run a VB Script file that checks whether the date is the 19th of any month. In that case it deletes files in the subdirectories c:\windows, c:\windows\system, c:\windows\command, and c:\, rendering the system unusable.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15