|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Trojan Alert was: Check this I did geektools owns
Whois:
Server:
Server used for this query: [ rs.domainbank.net ]
Registrant:
Shawn Morris (DNBDN-42513)
9211 S. Pulaski Rd.
Evergreen Park, Illinois 60805
USA
Domain: SMORRIS.COM
Registrar: DomainBank.com
Administrative, Technical, Zone Contact:
Morris, Shawn (DB-MSH10) [email protected]
(708)422-7464 (FAX)(312)621-7401
Record created on 12-12-1999
Record expires on 12-12-2001
Database last updated 03-09-2000 03:44:38 PM
Domain servers in listed order:
NS1.MW.VERIO.NET 209.107.64.34
NS1.WWA.COM 198.49.174.58
http://www.domainbank.net/
===============================================
Kai Schlichting wrote:
> Can someone with a lucky hand in Visual Basic actually tell us what
> the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
> included, in case Shawn hasn't seen them yet) actually does.
> Seems to cloak itself well, and my Norton AV is *not* detecting anything.
>
> On another operational note: I am seeing a vastly swelling number
> of customers falling victim to the NETWORK.VBS worm: a simple VB script
> that first scans surrounding network space for open, writable windows
> shares (and replicates by copying itself into a shared C:\ drive, if
> such drive is shared), then goes on to randomly scan /24's , where the
> 3 first octets of the IP number are random: this is generating
> boatloads of violations in my "no RFC1918 in or out" filters (and
> this is how this came to my attention).
>
> We found a user who had scanned a stunning 9980 /24's this way : there
> is a C:\network.log (or was it .txt) file showing the scan activity.
>
> bye,Kai
>
> >Received: from conti.nu (IDENT:[email protected] [208.241.100.25])
> > by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318
> > for <[email protected]>; Thu, 9 Mar 2000 15:12:02 -0500 (EST)
> >Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST)
> >Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
> > by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489
> > for <[email protected]>; Thu, 9 Mar 2000 15:11:50 -0500 (EST)
> >Received: by segue.merit.edu (Postfix)
> > id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST)
> >Delivered-To: [email protected]
> >Received: by segue.merit.edu (Postfix, from userid 56)
> > id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST)
> >Received: from astro.smorris.com (astro.smorris.com [157.238.77.132])
> > by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5
> > for <[email protected]>; Thu, 9 Mar 2000 15:08:08 -0500 (EST)
> >Received: from scooby (scooby.smorris.com [157.238.77.131])
> > by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495;
> > Thu, 9 Mar 2000 14:01:25 -0600
> >From: "Shawn Morris" <[email protected]>
> >To: <[email protected]>
> >Subject: Check this
> >Date: Thu, 9 Mar 2000 14:05:58 -0600
> >Message-ID: <[email protected]>
> >MIME-Version: 1.0
> >Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_001C_01BF89D0.98395400"
> >X-Priority: 3 (Normal)
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> >Importance: Normal
> >Sender: [email protected]
> >Precedence: bulk
> >Errors-To: [email protected]
> >X-Loop: nanog
> >X-UIDL: a6afd5395e4e1808e17ac7358522b210
> >
> >Have fun with these links.
> >Bye.
--
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX |
|--------------------------------------------|
Henry R. Linneweh
|