[27709] in North American Network Operators' Group
Re: Trojan Alert was: Check this
daemon@ATHENA.MIT.EDU (Kevin Houle)
Thu Mar 9 16:36:40 2000
Message-ID: <38C81452.11F8680C@cert.org>
Date: Thu, 09 Mar 2000 21:14:58 +0000
From: Kevin Houle <kjh@cert.org>
MIME-Version: 1.0
To: Kai Schlichting <kai@pac-rim.net>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Kai Schlichting wrote:
>
> On another operational note: I am seeing a vastly swelling number
> of customers falling victim to the NETWORK.VBS worm: a simple VB script
> that first scans surrounding network space for open, writable windows
> shares (and replicates by copying itself into a shared C:\ drive, if
> such drive is shared), then goes on to randomly scan /24's , where the
> 3 first octets of the IP number are random: this is generating
> boatloads of violations in my "no RFC1918 in or out" filters (and
> this is how this came to my attention).
We've been getting reports of network.vbs since about 2/24. There
is a CERT Incident Note discussing network.vbs and the general
need to secure unprotected Windows networking shares.
http://www.cert.org/incident_notes/IN-2000-02.html
You are welcome to use it as a reference with customers.
Kevin
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBOMgULVFO4fmE3w/VAQFw8gQAhIloQWbHy0mkrck6w54tUTnHxjkPDCFH
P0B27FbF/ok/yfPnLeUymVP/Vt3ptoSVs38bl/mP1BX83osix9JweFpapZZV+sVn
Uu6BFfIDCv/o3h3NuQiprWmaJjtCzi1kNfqHM6hLxrbTNqo4Evzd+t5MY8+fncwX
OthSzyq5geA=
=Eqay
-----END PGP SIGNATURE-----
