Re: Help w/ Port 137 Traffic

["Paul D. Robertson" <proberts () patriot net>]

On Sun, 13 Oct 2002, Mikael Olsson wrote:

> Hmm.  I would have thought that bugbear & co would result in port 
> 139 (nbsession) activity.

Yep, that's probably right, but the first reference I pulled up this 
morning said: "Spreads via e-mail and/or network shares using port 137."

http://www.ciac.org/ciac/W32_BugBear_info.html

I don't know if that means (A) the 137 lookups happen prior to a 139 
infection, (B) there is a 137 overflow and it's got something to do with 
having a share available, or (C) They're wrong.

I suspect the worm does a lookup prior to an infection, but I really don't 
know- I don't run Windows, so I haven't played with doing NetBIOS stuff 
and don't know what the normal programming sequence is for enumerating 
shares, and as we don't let customers expose NetBIOS ports at all, this 
was never high on my list of things to worry about.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards