nanog mailing list archives

Re: Trojan Alert was: Check this I did geektools owns

From: "Henry R. Linneweh" <linneweh () concentric net>
Date: Thu, 09 Mar 2000 12:48:11 -0800



                                          Whois:
                                          Server:


                    Server used for this query: [ rs.domainbank.net ]

                    Registrant:
                    Shawn Morris (DNBDN-42513)
                       9211 S. Pulaski Rd.
                       Evergreen Park, Illinois  60805
                       USA

                       Domain: SMORRIS.COM
                       Registrar: DomainBank.com

                       Administrative, Technical, Zone Contact:
                            Morris, Shawn  (DB-MSH10) smorris () verio net
                            (708)422-7464  (FAX)(312)621-7401

                       Record created on 12-12-1999
                       Record expires on 12-12-2001
                       Database last updated 03-09-2000 03:44:38 PM

                       Domain servers in listed order:

                       NS1.MW.VERIO.NET               209.107.64.34
                       NS1.WWA.COM                    198.49.174.58

                    http://www.domainbank.net/
===============================================
Kai Schlichting wrote:

Can someone with a lucky hand in Visual Basic actually tell us what
the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
included, in case Shawn hasn't seen them yet) actually does.
Seems to cloak itself well, and my Norton AV is *not* detecting anything.

On another operational note: I am seeing a vastly swelling number
of customers falling victim to the NETWORK.VBS worm: a simple VB script
that first scans surrounding network space for open, writable windows
shares (and replicates by copying itself into a shared C:\ drive, if
such drive is shared), then goes on to randomly scan /24's , where the
3 first octets of the IP number are random: this is generating
boatloads of violations in my "no RFC1918 in or out" filters (and
this is how this came to my attention).

We found a user who had scanned a stunning 9980 /24's this way : there
is a C:\network.log (or was it .txt) file showing the scan activity.

bye,Kai

Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST)
From: "Shawn Morris" <shawn () smorris com>
To: <shawn () smorris com>
Subject: Check this
Date: Thu, 9 Mar 2000 14:05:58 -0600
Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_001C_01BF89D0.98395400"
Importance: Normal
Sender: owner-nanog () merit edu
Precedence: bulk
Errors-To: owner-nanog-outgoing () merit edu

Have fun with these links.
Bye.


--
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX   |
|--------------------------------------------|
Henry R. Linneweh

Current thread:

Trojan Alert was: Check this Kai Schlichting (Mar 09)
- Re: Trojan Alert was: Check this I did geektools owns Henry R. Linneweh (Mar 09)
- Re: Trojan Alert was: Check this Kevin Houle (Mar 09)
- Message not available
  - Re: Trojan Alert was: Check this Kai Schlichting (Mar 09)
- OT: VBS.FREELINK and Anti-Virus Defaults was: Check This David Kennedy CISSP (Mar 09)
- Re: Trojan Alert was: Check this Chris Brenton (Mar 09)
- <Possible follow-ups>
- Re: Trojan Alert was: Check this Steven M. Bellovin (Mar 09)
- Re: Trojan Alert was: Check this Hermann Wecke (Mar 09)