Yui Kee Co. Ltd. Press Release For immediate release
April 3, 2000

F-SECURE CORPORATION SOLVED THE MYSTERY 911-CALLING INTERNET WORM

Firkin worm spreads to Internet-connected PCs

Espoo, Finland, April 2, 2000; Hong Kong, China, April 3, 2000 - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, has analysed a new internet worm known as Firkin or Chode. This worm attempts to cause a denial-of-service attack against the 911 emergency hotline. F-Secure Anti-Virus detects and disinfects the worm.

Firkin is a family of closely-related internet worms. They have been written entirely in the simple DOS batch language. These worms replicate further over the internet, infecting Windows-based computers which have their hard drive shared to the world. Many users accidentally share their whole hard drive and when they connect to the internet, anybody can access it. The worm uses this vulnerability to spread further.

When the Firkin worm is started, it searches a wide range of machines connected to the Internet. The search is targeted at computers using some of the largest ISPs (Internet Service Providers) in the world, including AT&T, America Online, MCI and Earthlink.

The worm scans every machine to find one which has shared its hard drive. When such a system is found, the worm copies itself to the target computer and modifies its system in such a way that the worm is executed the next time the system is booted.

At this time, the virus might add a routine that calls the 911 emergency number using a modem every time the infected system is booted. This routine is injected into the host system at random and is not present in every infected computer.

The result of this routine is that every time such a system is restarted, the computer silently dials a normal phone call to 911. Since it is standard procedure in many locations for the emergency services to dispatch a unit to the location of an incoming 911 call, the results can be quite serious, possibly causing delays in responding to real calls.

Depending on the exact variant of the worm, it might also attempt to delete all files from several directories on the computer and display messages on screen. The deletion of files is programmed to happen on the 19th of every month.

The worm code contains several text strings, including:

fOREsKIN sElf rEPlIcAToR vERSION 1.07c final CHAoS
(C) 2000 EMD LABS INC rAndOm dEvIStAtOr
nOt pErFECt, bUt iT sERvES iTS pUrPosE....bAtCh fIlE pROgRAMmINg

The FBI discovered one variant of this worm during a 'recent and breaking' case.

"This is a serious denial-of-service attack against the 911 emergency system," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The only bright side to the situation is that this worm is unlikely to cause damage outside North America". The ISPs the worm is attacking operate mainly in the USA, and 911 is used as an emergency number primarily in North America.

"The maliciousness or irresponsibility of the writer or writers of this worm is astounding," commented Allan Dyer, Technical Director of Yui Kee Co. Ltd. "We are fortunate that it is unlikely to affect us in Hong Kong, both because of the ISPs targeted and the emergency number used."

Infected systems can easily be spotted by checking whether the "C:\Program Files" folder contains a new hidden folder called either "Chode", "Foreskin" or "Dickhair". To see hidden folders with Windows Explorer, turn on the "Show all files" setting from Explorer options.

F-Secure Anti-Virus can be used to detect and disinfect this worm. Free evaluation copies of F-Secure Anti-Virus are available at:
http://www.F-Secure.com/download-purchase/

Further technical information on the Firkin worm is available at:
http://www.F-Secure.com/v-descs/firkin.shtml

Information from the FBI on the Firkin worm was available at:
http://www.nipc.gov/nipc/advis00-038.htm

About F-Secure Corporation

F-Secure Corporation is a leading developer of centrally managed, widely distributed security solutions. The company offers a full range of award-winning, integrated anti- virus, file encryption and VPN solutions for workstations, servers and gateways. F-Secure Corporation products and Framework are uniquely suited for delivery of Security as a Service by enterprise IT departments as well as a wide range of partners including ISPs, outsourcing firms and ASPs. For the end-user, Security as a Service is invisible, automatic, reliable, always-on, and up-to-date. For the administrator, Security as a Service means policy-based management, instant alerts, and centralized management of a widely-distributed user base.

Founded in 1988, F-Secure Corporation is listed on the Helsinki Stock Exchange (HEX: FSC). The company is headquartered in Espoo, Finland with North American headquarters in San Jose, California, as well as offices in Canada, Germany, China, France, Japan and the United Kingdom. F-Secure Corporation is supported by a network of VARs and Distributors in over 90 countries around the globe.

About Yui Kee

Yui Kee Co. Ltd. is a leading vendor of security solutions and security services in Hong Kong, and a Data Fellows Certified Anti-virus Centre. The company was founded in 1964, with the former name of Yui Kee Store and the Computing Division was established in 1993. Yui Kee services the security needs of all sizes of customers, from home users, through companies to major banks and government departments.

For further information, please contact

Hong Kong:
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164
Email: adyer@yuikee.com.hk
http://www.yuikee.com.hk/

Finland:
F-Secure Corporation
Mr. Mikko Hypponen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
Tel +358 9 8599 0513
Fax +358 9 8599 0599
E-mail: Mikko.Hypponen@F-Secure.com

USA:
F-Secure Inc.
Mr. Dan Takata, Manager, Training Division, Professional Services 675 N. First Street, 8th Floor
San Jose, CA 95112
Tel. +1 408 938 6700,
Fax +1 408 938 6701
E-mail: Dan.Takata@F-Secure.com

http://www.F-Secure.com/