Whois: Server: Server used for this query: [ rs.domainbank.net ] Registrant: Shawn Morris (DNBDN-42513) 9211 S. Pulaski Rd. Evergreen Park, Illinois 60805 USA Domain: SMORRIS.COM Registrar: DomainBank.com Administrative, Technical, Zone Contact: Morris, Shawn (DB-MSH10) smorris@verio.net (708)422-7464 (FAX)(312)621-7401 Record created on 12-12-1999 Record expires on 12-12-2001 Database last updated 03-09-2000 03:44:38 PM Domain servers in listed order: NS1.MW.VERIO.NET 209.107.64.34 NS1.WWA.COM 198.49.174.58 http://www.domainbank.net/ =============================================== Kai Schlichting wrote:
Can someone with a lucky hand in Visual Basic actually tell us what the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers included, in case Shawn hasn't seen them yet) actually does. Seems to cloak itself well, and my Norton AV is *not* detecting anything.
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm: a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared), then goes on to randomly scan /24's , where the 3 first octets of the IP number are random: this is generating boatloads of violations in my "no RFC1918 in or out" filters (and this is how this came to my attention).
We found a user who had scanned a stunning 9980 /24's this way : there is a C:\network.log (or was it .txt) file showing the scan activity.
bye,Kai
Received: from conti.nu (IDENT:root@sonet.conti.nu [208.241.100.25]) by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318 for <kai@mail.speedus.net>; Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489 for <kai@pac-rim.net>; Thu, 9 Mar 2000 15:11:50 -0500 (EST) Received: by segue.merit.edu (Postfix) id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST) Delivered-To: nanog-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST) Received: from astro.smorris.com (astro.smorris.com [157.238.77.132]) by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5 for <nanog@merit.edu>; Thu, 9 Mar 2000 15:08:08 -0500 (EST) Received: from scooby (scooby.smorris.com [157.238.77.131]) by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495; Thu, 9 Mar 2000 14:01:25 -0600 From: "Shawn Morris" <shawn@smorris.com> To: <shawn@smorris.com> Subject: Check this Date: Thu, 9 Mar 2000 14:05:58 -0600 Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_001C_01BF89D0.98395400" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog X-UIDL: a6afd5395e4e1808e17ac7358522b210
Have fun with these links. Bye.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh