North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 139 scans

  • From: Kai Schlichting
  • Date: Wed Sep 27 15:00:21 2000

At Wednesday 02:35 PM 9/27/00, Ben Browning wrote:

>I have noticed that the large majority of these scans from my address space ( - are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.

Hello, Network.VBS, again ? That, or a new variant.

If I recall this right, this virus is one of the damn cheapest (and easiest)
adaptations of ANY program into a virus I have ever seen. The original
is found on your average Win98 machine at C:\windows\samples\wsh\network.vbs

It really shows off how crappy network security (and M$'s implementation
of 'network functionality') has more todo with spreading viruses than
some 30 lines of code amended to an existing program written for
entirely different purposes. Making use of Netbios in any form is like
poking a whore without a condom: you WILL get burned. And then some.
It doesn't even take so many tries.