Re: Trojan Alert was: Check this

[Chris Brenton <cbrenton () sover net>]

Kai Schlichting wrote:
> On another operational note: I am seeing a vastly swelling number
> of customers falling victim to the NETWORK.VBS worm:

Posted a note & a debug on this to Incidents a few weeks back. The
script is a modification of the network.vbs sample script which ships
with Win98. Cert just released an advisory here:
http://www.cert.org/incident_notes/IN-2000-02.html

> a simple VB script
> that first scans surrounding network space for open, writable windows
> shares (and replicates by copying itself into a shared C:\ drive, if
> such drive is shared),

A couple of things to note:
It will only infect Win95 & Win98
File sharing has to be enabled
The entire "C" drive has to be shared read/write without a password
Script fails if anything other than "C" is shared (for example they
could share off c:\windows and the script would fail)
Adds "network.vbs" to the user's Startup group

So a quick check is to simply see if is the script is in the startup
group

> then goes on to randomly scan /24's , where the
> 3 first octets of the IP number are random:

Actually, it runs in three cycles, local /24 subnet, random 3rd octet
subnets, than random 1st-3rd octet.

> We found a user who had scanned a stunning 9980 /24's this way

The script does not scan the entire /24, just the .1 address. Kind of
lame as .1 will usually (but not always) be a router.

> : there
> is a C:\network.log (or was it .txt) file showing the scan activity.

C:\network.log is correct.

HTH,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet