nanog mailing list archives
Re: Trojan Alert was: Check this
From: Kevin Houle <kjh () cert org>
Date: Thu, 09 Mar 2000 21:14:58 +0000
-----BEGIN PGP SIGNED MESSAGE----- Kai Schlichting wrote:
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm: a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared), then goes on to randomly scan /24's , where the 3 first octets of the IP number are random: this is generating boatloads of violations in my "no RFC1918 in or out" filters (and this is how this came to my attention).
We've been getting reports of network.vbs since about 2/24. There is a CERT Incident Note discussing network.vbs and the general need to secure unprotected Windows networking shares. http://www.cert.org/incident_notes/IN-2000-02.html You are welcome to use it as a reference with customers. Kevin -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOMgULVFO4fmE3w/VAQFw8gQAhIloQWbHy0mkrck6w54tUTnHxjkPDCFH P0B27FbF/ok/yfPnLeUymVP/Vt3ptoSVs38bl/mP1BX83osix9JweFpapZZV+sVn Uu6BFfIDCv/o3h3NuQiprWmaJjtCzi1kNfqHM6hLxrbTNqo4Evzd+t5MY8+fncwX OthSzyq5geA= =Eqay -----END PGP SIGNATURE-----
Current thread:
- Trojan Alert was: Check this Kai Schlichting (Mar 09)
- Re: Trojan Alert was: Check this I did geektools owns Henry R. Linneweh (Mar 09)
- Re: Trojan Alert was: Check this Kevin Houle (Mar 09)
- Message not available
- Re: Trojan Alert was: Check this Kai Schlichting (Mar 09)
- OT: VBS.FREELINK and Anti-Virus Defaults was: Check This David Kennedy CISSP (Mar 09)
- Re: Trojan Alert was: Check this Chris Brenton (Mar 09)
- <Possible follow-ups>
- Re: Trojan Alert was: Check this Steven M. Bellovin (Mar 09)
- Re: Trojan Alert was: Check this Hermann Wecke (Mar 09)