The Firkin worm family appeared in the beginning of April, 2000. 3 variants this worm exist already. All these variants are spreading via local networks. The worm is also known as '911 virus', because it has a specific payload routine that calls 911 if a modem is present in an infected system.


Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm is written in DOS Batch language (worm's components are mostly BAT files) and it uses DOS box commands and a few external utilities to perform the infection. Firkin is a multi-component worm - the worm itself is not just a single file, but a set of DOS batch files, PIF files (Program Information Files used to start DOS programs under Windows) and some additional components.

After being run, the worm installs its startup component (a PIF file) to the Windows startup folder ('Start Menu\Programs\Startup'). When Windows boots up, this PIF file activates the main worm component - the special routine in the worm's main BAT component. This routine initializes the random counter the the IP address counter, hides its window (DOS box window) with a help of an additional utility and then proceeds to the infection loop. During this loop the worm generates a large number of IP addresses and pings (tries to resolve) all of them. This is a time consuming task, but it is processed in background and as a result it is not visible for the user.

Here's the screenshot of the worm's process window when maximized:

When an IP address is resolved, the worm identifies all shared resources on a PC associated with that address. If there are drives shared with full access rights (reading and writing), the worm looks for the Windows directory on that drive and installs itself there. Then the worm then creates a new folder in the 'Program Files' directory, copies its files there and adds a PIF file to the Windows startup folder to be activated on the remote computer on its next startup.

The worm is able to spread itself only if Windows is installed in the directory named C:\WINDOWS\, so if this directory name is different or if Windows is installed on an another drive, the worm fails to spread itself. The worm will not work under Windows NT as it has a different startup directorypath.

The worm has a dangerous payload routine. Depending on its random counter the worm either formats hard drives or dials '911' using a modem if one is installed on COM1 - COM4 ports. One of worm's versions sends dial commands to all these ports regardless of modem presence in the infected system.

Several variants of this worm are known and all of them operate the same way as described above, only with some minor differences:

The worm's directory:

'Firkin.a,b': C:\PROGRA~1\FORESKIN\ (C:\Program Files\FORESKIN\)

'Firkin.c': C:\PROGRA~1\CHODE\ (C:\Program Files\CHODE\)

The worm's components and additional utilities:


A,B,C,D,E,F,G,H,I,J,ADD,FINAL,HIDE,SLAM - all are BAT files

ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window

MSTUM.BAT, MSTUM.PIF - main worm's BAT and PIF files


A,B,C,D,E,F,G,H,I,J,ADD,ZULU,HIDE,SLAM - all are BAT files

ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window

MSTUM.BAT, MSTUM.PIF - main worm's BAT and PIF files


ADD, RANDOM - additional BAT files

ASHIELD.EXE, ASHIELD.PIF - utility that hides worm window

CHODE.BAT, NETSTAT.PIF - main worm's BAT and PIF files

Date Created: -

Date Last Modified: -