Security Incidents mailing list archives

Re: new scanner tool or blind luck?

From: Thierry <thierry () PURGE-IT COM>
Date: Mon, 14 Aug 2000 01:40:35 +0100

Hello,
This could be Win32.Chainsaw

NAME: Win32.Chainsaw v1.00
TYPE: NetBios/SubSeven/NetBus worm.
AUTHOR: T-2000 / Immortal Riot.
E-MAIL: T2000_ () hotmail com
PAYLOAD: Sector trashing.

FEATURES:
- Disables ZoneAlarm firewall.
- Not visible in 9x tasklist.
- Sends usenet message on installation.
- DoS'es random hosts on 31st of any month.
- Anti-debugging code.

Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1, or
NetBios, and then installs itself in the systems it can get access to. It's main
payload is
to IGMP DoS random Internet hosts on every 31st of the month, which will BSOD
every
released version of Windoze 95/98 that isn't patched or firewalled.

---> infos found on TLSecurity

So the question is if you also noticed scans on port 12345 (netbus) and 1243 (If
my memory is good) (subseven) from the same IP ranges, if yes, this could be the
explanation for it.

Thierry
http://www.purge-it.com/?incidents

Current thread:

new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
  - Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
  - Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
    - Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
  - Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
    - Re: new scanner tool or blind luck? George Bakos (Sep 14)
    - Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)