WebTV/MSNTV Virus Dials 911

Semji Rkim writes: "Though not the first virus to direct modems at 911, ABC News is reporting a bug in WebTV (Now branded as MSNTV) units which causes the infected unit to hang-up and dial 911. The virus spreads via email and Microsoft officials are looking into how it is able to replicate and also control the modem. Affected users are advised to delete the email and call Microsoft at 1-800-469-3288."

ATH0

[HanzoSan]

Any knowledgeable hacker knows about ATH0, it effects around 50 percent of 56k/33/28 modems.

With this, I was able to hang up peoples connections and even make them dial phone numbers, you send the modem commands and because of a bug, the modems obey the commands.

Its not a virus, Its something thats been going on for years, its an old trick/exploit.hack

Re:ATH0

[Mr+Guy]

Actually, a later hit was more interesting: Explanation of what is happening

Re:ATH0

[Neon+Spiral+Injector]

That's why good PPP implimentations escape the '+' character. And why smart people include "S2=255" in their init string. The S2 register defaults to 43. (The decimal value for the '+' character.) Setting it to 255 disables the the "+++" feature. Of course with out being able to go "+++" (wait) "ATH0" you need to be able to hang up the modem by manipulating the control lines (which most programs can do). Oh, I say "wait" cause good modems require a 3 second pause after the "+++" to enter command mode. I think that is how some modems go uneffected as you can't get the "+++" to be the only thing sent for 3 seconds and then continue with the commands.

Ah the old BBS days. I remember some fool on the local board I hung out on had some crappy term program that would hang up if it saw "NO CARRIER" at the start of a line. Now why would a communication program issue an ATH0 after the carrier had been dropped?

Re:This is serious

[HanzoSan]

Yeah Its wrong to tie up 911 but 911 is the only number which could fit into the command string for ATH0.

Yes its ATH0, not a virus.

ATH0 Exploit

ATH0 info

Re:This is serious

[jat850]

Hmm, maybe if there was any mention of the death penalty in that legislation. But there wasn't. :)

Re:Nice troll.

[Ungrounded+Lightning]

I could be wrong, but I don't think that's how it works. I thought the trick was to get the 'target' to _send_ the +++ATH0, not just recv it.

If I read this right:

You send him a ping (ICMP echo request) with the modem command in the payload.

He sends you a ping response (ICMP echo reply) with that same modem command in the reply's payload. He just sent it to the modem.

If he's on a PPP/slip link it looks to the modem like a command embedded in the stream.

If the modem doesn't correctly ignore commands where there isn't a minimum half-second pause (with no transitions whatsoever - even start/stop bits) between the +++ and the ATH, you got him.

Of course if YOU'RE on PPP/slip on a serial link you have to be careful that YOUR modem doesn't hang up and dial 911, too. B-)

Re:How much longer until 1-900?

[Jucius+Maximus]

"How much longer will it be before unscrupulous 900 number operators enlist people to alter this virus to make it dial their numbers? Given that it takes a month to get a phone bill, the culprits can close up shop and move on long before anyone even realizes there is a probem..."

It's been done. I remember reading in the newspapers about pr0n sites that asked you to download their special pr0n viewer program. The thing is, this viewer program actually did view the adult content. It also turned off your modem's speaker and dialed some pay-per-minute line in Russia. But since you were looking at pr0n, you would probably spend quite a while racking up charges without noticing anything was amiss until your next phone bill.