Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Trojan Alert was: Check this

  • From: Kai Schlichting
  • Date: Thu Mar 09 15:37:32 2000

Can someone with a lucky hand in Visual Basic actually tell us what
the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
included, in case Shawn hasn't seen them yet) actually does.
Seems to cloak itself well, and my Norton AV is *not* detecting anything.

On another operational note: I am seeing a vastly swelling number
of customers falling victim to the NETWORK.VBS worm: a simple VB script
that first scans surrounding network space for open, writable windows
shares (and replicates by copying itself into a shared C:\ drive, if
such drive is shared), then goes on to randomly scan /24's , where the
3 first octets of the IP number are random: this is generating
boatloads of violations in my "no RFC1918 in or out" filters (and
this is how this came to my attention).

We found a user who had scanned a stunning 9980 /24's this way : there
is a C:\network.log (or was it .txt) file showing the scan activity.

bye,Kai


>Received: from conti.nu (IDENT:root@sonet.conti.nu [208.241.100.25])
>         by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318
>         for <kai@mail.speedus.net>; Thu, 9 Mar 2000 15:12:02 -0500 (EST)
>Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST)
>Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
>         by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489
>         for <kai@pac-rim.net>; Thu, 9 Mar 2000 15:11:50 -0500 (EST)
>Received: by segue.merit.edu (Postfix)
>         id 15D935DDA5; Thu,  9 Mar 2000 15:08:12 -0500 (EST)
>Delivered-To: nanog-outgoing@merit.edu
>Received: by segue.merit.edu (Postfix, from userid 56)
>         id EE69F5DDE2; Thu,  9 Mar 2000 15:08:11 -0500 (EST)
>Received: from astro.smorris.com (astro.smorris.com [157.238.77.132])
>         by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5
>         for <nanog@merit.edu>; Thu,  9 Mar 2000 15:08:08 -0500 (EST)
>Received: from scooby (scooby.smorris.com [157.238.77.131])
>         by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495;
>         Thu, 9 Mar 2000 14:01:25 -0600
>From: "Shawn Morris" <shawn@smorris.com>
>To: <shawn@smorris.com>
>Subject: Check this
>Date: Thu, 9 Mar 2000 14:05:58 -0600
>Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>         boundary="----=_NextPart_000_001C_01BF89D0.98395400"
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
>Importance: Normal
>Sender: owner-nanog@merit.edu
>Precedence: bulk
>Errors-To: owner-nanog-outgoing@merit.edu
>X-Loop: nanog
>X-UIDL: a6afd5395e4e1808e17ac7358522b210
>
>Have fun with these links.
>Bye.






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.