Can someone with a lucky hand in Visual Basic actually tell us what the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers included, in case Shawn hasn't seen them yet) actually does. Seems to cloak itself well, and my Norton AV is *not* detecting anything. On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm: a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared), then goes on to randomly scan /24's , where the 3 first octets of the IP number are random: this is generating boatloads of violations in my "no RFC1918 in or out" filters (and this is how this came to my attention). We found a user who had scanned a stunning 9980 /24's this way : there is a C:\network.log (or was it .txt) file showing the scan activity. bye,Kai
Received: from conti.nu (IDENT:root@sonet.conti.nu [208.241.100.25]) by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318 for <kai@mail.speedus.net>; Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489 for <kai@pac-rim.net>; Thu, 9 Mar 2000 15:11:50 -0500 (EST) Received: by segue.merit.edu (Postfix) id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST) Delivered-To: nanog-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST) Received: from astro.smorris.com (astro.smorris.com [157.238.77.132]) by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5 for <nanog@merit.edu>; Thu, 9 Mar 2000 15:08:08 -0500 (EST) Received: from scooby (scooby.smorris.com [157.238.77.131]) by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495; Thu, 9 Mar 2000 14:01:25 -0600 From: "Shawn Morris" <shawn@smorris.com> To: <shawn@smorris.com> Subject: Check this Date: Thu, 9 Mar 2000 14:05:58 -0600 Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_001C_01BF89D0.98395400" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog X-UIDL: a6afd5395e4e1808e17ac7358522b210
Have fun with these links. Bye.
Whois: Server: Server used for this query: [ rs.domainbank.net ] Registrant: Shawn Morris (DNBDN-42513) 9211 S. Pulaski Rd. Evergreen Park, Illinois 60805 USA Domain: SMORRIS.COM Registrar: DomainBank.com Administrative, Technical, Zone Contact: Morris, Shawn (DB-MSH10) smorris@verio.net (708)422-7464 (FAX)(312)621-7401 Record created on 12-12-1999 Record expires on 12-12-2001 Database last updated 03-09-2000 03:44:38 PM Domain servers in listed order: NS1.MW.VERIO.NET 209.107.64.34 NS1.WWA.COM 198.49.174.58 http://www.domainbank.net/ =============================================== Kai Schlichting wrote:
Can someone with a lucky hand in Visual Basic actually tell us what the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers included, in case Shawn hasn't seen them yet) actually does. Seems to cloak itself well, and my Norton AV is *not* detecting anything.
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm: a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared), then goes on to randomly scan /24's , where the 3 first octets of the IP number are random: this is generating boatloads of violations in my "no RFC1918 in or out" filters (and this is how this came to my attention).
We found a user who had scanned a stunning 9980 /24's this way : there is a C:\network.log (or was it .txt) file showing the scan activity.
bye,Kai
Received: from conti.nu (IDENT:root@sonet.conti.nu [208.241.100.25]) by speedus.com (8.9.3/8.9.3) with ESMTP id PAA23318 for <kai@mail.speedus.net>; Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received-Date: Thu, 9 Mar 2000 15:12:02 -0500 (EST) Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by conti.nu (8.9.3/8.9.3) with ESMTP id PAA17489 for <kai@pac-rim.net>; Thu, 9 Mar 2000 15:11:50 -0500 (EST) Received: by segue.merit.edu (Postfix) id 15D935DDA5; Thu, 9 Mar 2000 15:08:12 -0500 (EST) Delivered-To: nanog-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id EE69F5DDE2; Thu, 9 Mar 2000 15:08:11 -0500 (EST) Received: from astro.smorris.com (astro.smorris.com [157.238.77.132]) by segue.merit.edu (Postfix) with ESMTP id B9C0D5DDA5 for <nanog@merit.edu>; Thu, 9 Mar 2000 15:08:08 -0500 (EST) Received: from scooby (scooby.smorris.com [157.238.77.131]) by astro.smorris.com (8.9.3/8.9.3) with SMTP id OAA04495; Thu, 9 Mar 2000 14:01:25 -0600 From: "Shawn Morris" <shawn@smorris.com> To: <shawn@smorris.com> Subject: Check this Date: Thu, 9 Mar 2000 14:05:58 -0600 Message-ID: <001f01bf8a02$e2d6d140$834dee9d@scooby> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_001C_01BF89D0.98395400" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog X-UIDL: a6afd5395e4e1808e17ac7358522b210
Have fun with these links. Bye.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
-----BEGIN PGP SIGNED MESSAGE----- Kai Schlichting wrote:
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm: a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared), then goes on to randomly scan /24's , where the 3 first octets of the IP number are random: this is generating boatloads of violations in my "no RFC1918 in or out" filters (and this is how this came to my attention).
We've been getting reports of network.vbs since about 2/24. There is a CERT Incident Note discussing network.vbs and the general need to secure unprotected Windows networking shares. http://www.cert.org/incident_notes/IN-2000-02.html You are welcome to use it as a reference with customers. Kevin -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOMgULVFO4fmE3w/VAQFw8gQAhIloQWbHy0mkrck6w54tUTnHxjkPDCFH P0B27FbF/ok/yfPnLeUymVP/Vt3ptoSVs38bl/mP1BX83osix9JweFpapZZV+sVn Uu6BFfIDCv/o3h3NuQiprWmaJjtCzi1kNfqHM6hLxrbTNqo4Evzd+t5MY8+fncwX OthSzyq5geA= =Eqay -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- At 03:28 PM 3/9/00 -0500, Kai Schlichting wrote:
Can someone with a lucky hand in Visual Basic actually tell us what the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers included, in case Shawn hasn't seen them yet) actually does. Seems to cloak itself well, and my Norton AV is *not* detecting
anything. 1. Norton reliably detects this (mine did). You need to either a) add .VBS to the scanned extensions, launch NAV, Options, Scanner, Program Files, Select, New and add "VB?" and "SHS" to the default extensions. Or b) NAV, Options, Scanner, All Files and set to scan all files, I recommend this. There was once a performance penalty to scan all files, but between CPU's and AV program optimization, the penalty is no longer noticeable under most circumstances. Changing the setting under scanner also effects the on-access protection, there's no need to search for both option. (W32 unfortunately does not obey extension-association the way many of us learned them in 16-bit Windows. If someone sends you the MELISSA.DOC file as an attachment labeled LAUGH.WAV and you double click it to listen, windows will open the file recognize the headers and open the file in MS Word without an error message and you'll be off and running with the Melissa virus.) 2. Here's the information you asked for about Freelink: from http://www.avp.ch/avpve/script/FREELINK.stm VBS.FreeLink This is a worm written in the Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels. Being executed the worm script creates a new script file "RUNDLL.VBS" in the Windows system folder and modifies the system registry to execute this script on every Windows startup. Then the worm displays message box: This will add a shortcut to free XXX links on your desktop. Do you want to continue? If the user's answer is YES the worm creates a shortcut on the desktop with the URL to an XXX site. Then the worm enumerates all network drives on the local computer and copies the infected script to the root directory of each network drive. To spread via e-mail the worm uses MS Outlook. The worm spreading routine is very closely related to a similar such routine in the "Melissa" virus, and works in the same way. The message contains the worm script (LINKS.VBS) as an attachment. The message subject: Check this The message body: Have fun with these links. The "RUNDLL.VBS" script when run creates another script file "LINKS.VBS" in the Windows directory (LINKS.VBS is the same script as described above). Then it scans all fixed drives for the folders "MIRC", "PIRCH98", "Program Files" (folder where usually installed most of Windows programs) and also all their subfolders and searches for the "MIRC32.EXE" or "PIRCH98.EXE" programs (popular IRC clients). If any of such program is found, the worm creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that contains commands to send infected "LINKS.VBS" to other IRC users when they join the same IRC channel to which the infected computer is connected. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 Comment: When did you backup your hard disk last? iQCVAwUBOMgeAvGfiIQsciJtAQGv2AQAkK/x/3D6CCWaM9X4DvAXi9tX5Wz8P1sO FLEX0yuXyDkWWgssAnf6O73On2apurCGVT7ssM8n/jqTBxdr9XLFn0NcZoS0nIcS kwAzJJSrg5axBfbO4BPpFRKgL/ymasmFWT93lMS2gN27ntWgeih2u+vPOthhClED 0WRB2zrB+Yo= =mqlq -----END PGP SIGNATURE----- -- Regards, David Kennedy CISSP Director of Research Services, ICSA.net http://www.icsa.net Protect what you connect. Look both ways before crossing the Net.
Kai Schlichting wrote:
On another operational note: I am seeing a vastly swelling number of customers falling victim to the NETWORK.VBS worm:
Posted a note & a debug on this to Incidents a few weeks back. The script is a modification of the network.vbs sample script which ships with Win98. Cert just released an advisory here: http://www.cert.org/incident_notes/IN-2000-02.html
a simple VB script that first scans surrounding network space for open, writable windows shares (and replicates by copying itself into a shared C:\ drive, if such drive is shared),
A couple of things to note: It will only infect Win95 & Win98 File sharing has to be enabled The entire "C" drive has to be shared read/write without a password Script fails if anything other than "C" is shared (for example they could share off c:\windows and the script would fail) Adds "network.vbs" to the user's Startup group So a quick check is to simply see if is the script is in the startup group
then goes on to randomly scan /24's , where the 3 first octets of the IP number are random:
Actually, it runs in three cycles, local /24 subnet, random 3rd octet subnets, than random 1st-3rd octet.
We found a user who had scanned a stunning 9980 /24's this way
The script does not scan the entire /24, just the .1 address. Kind of lame as .1 will usually (but not always) be a router.
: there is a C:\network.log (or was it .txt) file showing the scan activity.
C:\network.log is correct. HTH, Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
participants (5)
-
Chris Brenton
-
David Kennedy CISSP
-
Henry R. Linneweh
-
Kai Schlichting
-
Kevin Houle