North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Trojan Alert was: Check this
Kai Schlichting wrote: > > On another operational note: I am seeing a vastly swelling number > of customers falling victim to the NETWORK.VBS worm: Posted a note & a debug on this to Incidents a few weeks back. The script is a modification of the network.vbs sample script which ships with Win98. Cert just released an advisory here: http://www.cert.org/incident_notes/IN-2000-02.html > a simple VB script > that first scans surrounding network space for open, writable windows > shares (and replicates by copying itself into a shared C:\ drive, if > such drive is shared), A couple of things to note: It will only infect Win95 & Win98 File sharing has to be enabled The entire "C" drive has to be shared read/write without a password Script fails if anything other than "C" is shared (for example they could share off c:\windows and the script would fail) Adds "network.vbs" to the user's Startup group So a quick check is to simply see if is the script is in the startup group > then goes on to randomly scan /24's , where the > 3 first octets of the IP number are random: Actually, it runs in three cycles, local /24 subnet, random 3rd octet subnets, than random 1st-3rd octet. > We found a user who had scanned a stunning 9980 /24's this way The script does not scan the entire /24, just the .1 address. Kind of lame as .1 will usually (but not always) be a router. > : there > is a C:\network.log (or was it .txt) file showing the scan activity. C:\network.log is correct. HTH, Chris -- ************************************** [email protected] * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
|