[27724] in North American Network Operators' Group
Re: Trojan Alert was: Check this
daemon@ATHENA.MIT.EDU (Chris Brenton)
Thu Mar 9 19:15:57 2000
Message-ID: <38C83E78.82A7A340@sover.net>
Date: Thu, 09 Mar 2000 19:14:48 -0500
From: Chris Brenton <cbrenton@sover.net>
Reply-To: cbrenton@sover.net
MIME-Version: 1.0
To: Kai Schlichting <kai@pac-rim.net>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Kai Schlichting wrote:
>
> On another operational note: I am seeing a vastly swelling number
> of customers falling victim to the NETWORK.VBS worm:
Posted a note & a debug on this to Incidents a few weeks back. The
script is a modification of the network.vbs sample script which ships
with Win98. Cert just released an advisory here:
http://www.cert.org/incident_notes/IN-2000-02.html
> a simple VB script
> that first scans surrounding network space for open, writable windows
> shares (and replicates by copying itself into a shared C:\ drive, if
> such drive is shared),
A couple of things to note:
It will only infect Win95 & Win98
File sharing has to be enabled
The entire "C" drive has to be shared read/write without a password
Script fails if anything other than "C" is shared (for example they
could share off c:\windows and the script would fail)
Adds "network.vbs" to the user's Startup group
So a quick check is to simply see if is the script is in the startup
group
> then goes on to randomly scan /24's , where the
> 3 first octets of the IP number are random:
Actually, it runs in three cycles, local /24 subnet, random 3rd octet
subnets, than random 1st-3rd octet.
> We found a user who had scanned a stunning 9980 /24's this way
The script does not scan the entire /24, just the .1 address. Kind of
lame as .1 will usually (but not always) be a router.
> : there
> is a C:\network.log (or was it .txt) file showing the scan activity.
C:\network.log is correct.
HTH,
Chris
--
**************************************
cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
