[27703] in North American Network Operators' Group
Re: Trojan Alert was: Check this I did geektools owns
daemon@ATHENA.MIT.EDU (Henry R. Linneweh)
Thu Mar 9 15:58:22 2000
Message-ID: <38C80E0B.1EB76FB5@concentric.net>
Date: Thu, 09 Mar 2000 12:48:11 -0800
From: "Henry R. Linneweh" <linneweh@concentric.net>
Reply-To: linneweh@concentric.net
MIME-Version: 1.0
To: Kai Schlichting <kai@pac-rim.net>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Whois:
Server:
Server used for this query: [ rs.domainbank.net ]
Registrant:
Shawn Morris (DNBDN-42513)
9211 S. Pulaski Rd.
Evergreen Park, Illinois 60805
USA
Domain: SMORRIS.COM
Registrar: DomainBank.com
Administrative, Technical, Zone Contact:
Morris, Shawn (DB-MSH10) smorris@verio.net
(708)422-7464 (FAX)(312)621-7401
Record created on 12-12-1999
Record expires on 12-12-2001
Database last updated 03-09-2000 03:44:38 PM
Domain servers in listed order:
NS1.MW.VERIO.NET 209.107.64.34
NS1.WWA.COM 198.49.174.58
http://www.domainbank.net/
===============================================
Kai Schlichting wrote:
> Can someone with a lucky hand in Visual Basic actually tell us what
> the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
> included, in case Shawn hasn't seen them yet) actually does.
> Seems to cloak itself well, and my Norton AV is *not* detecting anything.
>
> On another operational note: I am seeing a vastly swelling number
> of customers falling victim to the NETWORK.VBS worm: a simple VB script
> that first scans surrounding network space for open, writable windows
> shares (and replicates by copying itself into a shared C:\ drive, if
> such drive is shared), then goes on to randomly scan /24's , where the
> 3 first octets of the IP number are random: this is generating
> boatloads of violations in my "no RFC1918 in or out" filters (and
> this is how this came to my attention).
>
> We found a user who had scanned a stunning 9980 /24's this way : there
> is a C:\network.log (or was it .txt) file showing the scan activity.
>
> bye,Kai
>
> >Received: from conti.nu (IDENT:root@sonet.conti.nu [208.241.100.25])
> > by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318
> > for <kai@mail.speedus.net>; Thu, 9 Mar 2000 15:12:02 -0500 (EST)
> >Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST)
> >Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
> > by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489
> > for <kai@pac-rim.net>; Thu, 9 Mar 2000 15:11:50 -0500 (EST)
> >Received: by segue.merit.edu (Postfix)
> > id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST)
> >Delivered-To: nanog-outgoing@merit.edu
> >Received: by segue.merit.edu (Postfix, from userid 56)
> > id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST)
> >Received: from astro.smorris.com (astro.smorris.com [157.238.77.132])
> > by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5
> > for <nanog@merit.edu>; Thu, 9 Mar 2000 15:08:08 -0500 (EST)
> >Received: from scooby (scooby.smorris.com [157.238.77.131])
> > by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495;
> > Thu, 9 Mar 2000 14:01:25 -0600
> >From: "Shawn Morris" <shawn@smorris.com>
> >To: <shawn@smorris.com>
> >Subject: Check this
> >Date: Thu, 9 Mar 2000 14:05:58 -0600
> >Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby>
> >MIME-Version: 1.0
> >Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_001C_01BF89D0.98395400"
> >X-Priority: 3 (Normal)
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> >Importance: Normal
> >Sender: owner-nanog@merit.edu
> >Precedence: bulk
> >Errors-To: owner-nanog-outgoing@merit.edu
> >X-Loop: nanog
> >X-UIDL: a6afd5395e4e1808e17ac7358522b210
> >
> >Have fun with these links.
> >Bye.
--
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX |
|--------------------------------------------|
Henry R. Linneweh
