North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Trojan Alert was: Check this
-----BEGIN PGP SIGNED MESSAGE----- Kai Schlichting wrote: > > On another operational note: I am seeing a vastly swelling number > of customers falling victim to the NETWORK.VBS worm: a simple VB script > that first scans surrounding network space for open, writable windows > shares (and replicates by copying itself into a shared C:\ drive, if > such drive is shared), then goes on to randomly scan /24's , where the > 3 first octets of the IP number are random: this is generating > boatloads of violations in my "no RFC1918 in or out" filters (and > this is how this came to my attention). We've been getting reports of network.vbs since about 2/24. There is a CERT Incident Note discussing network.vbs and the general need to secure unprotected Windows networking shares. http://www.cert.org/incident_notes/IN-2000-02.html You are welcome to use it as a reference with customers. Kevin -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOMgULVFO4fmE3w/VAQFw8gQAhIloQWbHy0mkrck6w54tUTnHxjkPDCFH P0B27FbF/ok/yfPnLeUymVP/Vt3ptoSVs38bl/mP1BX83osix9JweFpapZZV+sVn Uu6BFfIDCv/o3h3NuQiprWmaJjtCzi1kNfqHM6hLxrbTNqo4Evzd+t5MY8+fncwX OthSzyq5geA= =Eqay -----END PGP SIGNATURE-----
|