Kai Schlichting wrote:
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm:
Posted a note & a debug on this to Incidents a few weeks back. The script is a modification of the network.vbs sample script which ships with Win98. Cert just released an advisory here: http://www.cert.org/incident_notes/IN-2000-02.html
a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared),
A couple of things to note: It will only infect Win95 & Win98 File sharing has to be enabled The entire "C" drive has to be shared read/write without a password Script fails if anything other than "C" is shared (for example they could share off c:\windows and the script would fail) Adds "network.vbs" to the user's Startup group So a quick check is to simply see if is the script is in the startup group
then goes on to randomly scan /24's , where the 3 first octets of the IP number are random:
Actually, it runs in three cycles, local /24 subnet, random 3rd octet subnets, than random 1st-3rd octet.
We found a user who had scanned a stunning 9980 /24's this way
The script does not scan the entire /24, just the .1 address. Kind of lame as .1 will usually (but not always) be a router.
: there is a C:\network.log (or was it .txt) file showing the scan activity.
C:\network.log is correct. HTH, Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet