North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Trojan Alert was: Check this I did geektools owns
Whois: Server: Server used for this query: [ rs.domainbank.net ] Registrant: Shawn Morris (DNBDN-42513) 9211 S. Pulaski Rd. Evergreen Park, Illinois 60805 USA Domain: SMORRIS.COM Registrar: DomainBank.com Administrative, Technical, Zone Contact: Morris, Shawn (DB-MSH10) [email protected] (708)422-7464 (FAX)(312)621-7401 Record created on 12-12-1999 Record expires on 12-12-2001 Database last updated 03-09-2000 03:44:38 PM Domain servers in listed order: NS1.MW.VERIO.NET 209.107.64.34 NS1.WWA.COM 198.49.174.58 http://www.domainbank.net/ =============================================== Kai Schlichting wrote: > Can someone with a lucky hand in Visual Basic actually tell us what > the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers > included, in case Shawn hasn't seen them yet) actually does. > Seems to cloak itself well, and my Norton AV is *not* detecting anything. > > On another operational note: I am seeing a vastly swelling number > of customers falling victim to the NETWORK.VBS worm: a simple VB script > that first scans surrounding network space for open, writable windows > shares (and replicates by copying itself into a shared C:\ drive, if > such drive is shared), then goes on to randomly scan /24's , where the > 3 first octets of the IP number are random: this is generating > boatloads of violations in my "no RFC1918 in or out" filters (and > this is how this came to my attention). > > We found a user who had scanned a stunning 9980 /24's this way : there > is a C:\network.log (or was it .txt) file showing the scan activity. > > bye,Kai > > >Received: from conti.nu (IDENT:[email protected] [208.241.100.25]) > > by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318 > > for <[email protected]>; Thu, 9 Mar 2000 15:12:02 -0500 (EST) > >Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST) > >Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) > > by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489 > > for <[email protected]>; Thu, 9 Mar 2000 15:11:50 -0500 (EST) > >Received: by segue.merit.edu (Postfix) > > id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST) > >Delivered-To: [email protected] > >Received: by segue.merit.edu (Postfix, from userid 56) > > id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST) > >Received: from astro.smorris.com (astro.smorris.com [157.238.77.132]) > > by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5 > > for <[email protected]>; Thu, 9 Mar 2000 15:08:08 -0500 (EST) > >Received: from scooby (scooby.smorris.com [157.238.77.131]) > > by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495; > > Thu, 9 Mar 2000 14:01:25 -0600 > >From: "Shawn Morris" <[email protected]> > >To: <[email protected]> > >Subject: Check this > >Date: Thu, 9 Mar 2000 14:05:58 -0600 > >Message-ID: <[email protected]> > >MIME-Version: 1.0 > >Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_001C_01BF89D0.98395400" > >X-Priority: 3 (Normal) > >X-MSMail-Priority: Normal > >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > >Importance: Normal > >Sender: [email protected] > >Precedence: bulk > >Errors-To: [email protected] > >X-Loop: nanog > >X-UIDL: a6afd5395e4e1808e17ac7358522b210 > > > >Have fun with these links. > >Bye. -- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
|