Re: Port 139 scans

[Kai Schlichting <kai () pac-rim net>]

At Wednesday 02:35 PM 9/27/00, Ben Browning wrote:

> I have noticed that the large majority of these scans from my address space (216.39.128.0 - 216.39.192.255) are 
> targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. 
> Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and 
> the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.

Hello, Network.VBS, again ? That, or a new variant.

If I recall this right, this virus is one of the damn cheapest (and easiest)
adaptations of ANY program into a virus I have ever seen. The original
is found on your average Win98 machine at C:\windows\samples\wsh\network.vbs

It really shows off how crappy network security (and M$'s implementation
of 'network functionality') has more todo with spreading viruses than
some 30 lines of code amended to an existing program written for
entirely different purposes. Making use of Netbios in any form is like
poking a whore without a condom: you WILL get burned. And then some.
It doesn't even take so many tries.