Full Disclosure mailing list archives
Worm side effects
From: "Geo." <geoincidents () getinfo org>
Date: Mon, 25 Aug 2003 15:34:17 -0400
The nachia/welchia worm that is doing all the icmp traffic uses 92 byte ping packets, a rather unusual size which makes it easy to filter them without blocking all icmp traffic. It took me a while but I think I figured out why 92 byte echo requests. Because of this worm everyone is now blocking 92 byte imcp packets because they cause an arp storm and crash network devices like Max TNT dialup boxes that many ISP's use when the worm starts scanning a class C block. It's a real problem. I think I know why the worm used 92 byte icmp echos. Windows tracert command (traceroute) also uses 92 byte icmp echo packets. Filtering the worm breaks windows command line tracert plus samspade traceroute and any others that use the built in windows function. Doing a traceroute from a dialup box or router still seems to work fine and it probably works fine for unix as well although I haven't tested that. Guess it's possible the author figured nobody would be willing to break windows in order to stop what he thought would be a harmless worm, turns out he miscalculated both. So what the world needs now is a replacement for tracert.exe so that windows users can once again do traceroutes. Microsoft, are you listening? Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: JAP back doored, (continued)
- RE: JAP back doored gml (Aug 21)
- RE: JAP back doored Drew Copley (Aug 22)
- Re: JAP back doored Florian Weimer (Aug 22)
- RE: JAP back doored Drew Copley (Aug 22)
- Re: JAP back doored Florian Weimer (Aug 22)
- Re: JAP back doored felix . roennebeck (Aug 25)
- Re: JAP back doored morning_wood (Aug 25)
- Re: JAP back doored felix . roennebeck (Aug 25)
- Re: JAP back doored morning_wood (Aug 25)
- RE: JAP back doored Jeroen Massar (Aug 25)
- Worm side effects Geo. (Aug 25)
- Re: Worm side effects Florian Weimer (Aug 25)
- Re: Worm side effects Geoincidents (Aug 25)
- Re: Worm side effects Michael Mueller (Aug 25)
- Re: JAP back doored felix . roennebeck (Aug 26)
- Re: JAP back doored Sebastian Niehaus (Aug 22)
- Re: JAP back doored Florian Weimer (Aug 22)
- Re: JAP back doored Azerail (Aug 22)
- Re: JAP back doored felix . roennebeck (Aug 22)