Virus Profile: W95/Firkin.worm

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/22/2000
Date Added: 4/1/2000
Origin: N/A
Length: N/A
Type: Virus
Subtype: Worm
DAT Required: 4071
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the above mentioned files, computer calls 911.

Methods of Infection

Running this file will directly install to the local machine and then it will begin scanning for available shares over the Internet.


911 Share Virus, Bat/911, Bat/Chode.worm, Chode.worm, Foreskin

Related Viruses


Virus Characteristics

NOTE: This virus is the same as noted in the FBI's NIPC group posted an alert on Saturday, April 1st, 2000.

The worm starts on an infected computer when the ashield.pif and mstum.pif files are copied to the windows\startm~1\programs\startup and run next time the computer is started.

A user does not need to run a VBScript file, or read an e-mail message to get infected; it spreads over open network shares.

ashield.pif runs hide.bat, which uses the utility ashield.exe to hide the window that the worm process would otherwise leave visible.

mstum.pif runs mstum.bat, which is the actual worm process which runs in the background.

The first thing mstum.bat does is pause 10 seconds before doing anything. Then mstum.bat runs final.bat, which randomly selects a subnet to scan.

Each of the files A.BAT, B.BAT, C.BAT, D.BAT, E.BAT, F.BAT, G.BAT, H.BAT, I.BAT, and J.BAT contains code to scan a different part of the Internet. By randomly selecting one of those batch files, and replacing MSTUM.BAT with a copy of it, the batch file randomly selects one of the subnets to scan:


MSTUM.BAT then calls ADD.BAT, which contains the routines for stepping through IP addresses on the subnet. The ADD.BAT also tries to run the file CHAOS.BAT.

When scanning, it uses the ping utility and Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:"!

It then tries to remove previous instances of itself, as well as the VBS/Netlog worm.

As a test, it creates the directory "zx" the root directory of the remote drive and checks to see whether it was successful. If it succeeds it copies all the worm files in the c:\progra~1\foreskin\ directory to the j:\progra~1\foreskin directory.

Then depending on a random number, it will add the file slam.bat to the c:\autoexec.bat file of the remote machine. The next time the remote machine is started, the modified autoexec.bat will at random, either try to call 911 on the computers modem, or try to format all the hard drives, from h:-c:, and display the message "You have been sLamMeD By fOREsKIN mOThERf*****"

Then it will copy the ashield.pif and mstum.pif files to the directory j:\windows\startm~1\programs\startup\ashield.pif

where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.

Then it will write the text:

[Remote IP address] was sucessfully infected with foreskin

to the file c:\PROGRA~1\foreskin\cool.txt, which is used as an infection log.

The FINAL.BAT contains the comments:

REM fOREsKIN sElf rEPlIcAToR vERSION 1.07c final CHAoS (C) 2000 EMD LABS INC
REM rAndOm dEvIStAtOr
REM nOt pErFECt, bUt iT sERvES iTS pUrPosE....bAtCh fIlE pROgRAMmINg
REM sInCe tHis vIrUs uSeS aN .eXe fILe iT cAn pOtEnTiAllY sPReAD otHeR vIRuSeS oThER tHAn iTsElF...cOoL!!!
REM wAs nOt cREaTED bY tHE sAMe pERsON tHAT wROtE tHe nETwORk.vBs sHIt
REM iT wAs jUsT iN mY wAy

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!