Partially correct. It's a worm.. Windows likes to share drives with no passwords. This worm just logs into those shares, and copies itself into like autoexec.bat. Next boot it infects your system. On a somewhat related note, since we obviously have AOL people living and they now own ICQ. irc.icq.com has been used for weeks for these kiddies to store various ddos clients on. Take a look at #0wned. All compromised machines. There are no live opers to deal with it, and emails to ircsupport@icq.com go unanswered. Is there any way we can deal with things like this? Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Wed, 27 Sep 2000, Ben Browning wrote:

I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times that many abuse complaints regarding this activity.

My current suspicion is that a backdoor trojan (pause here to decline the port 139 attempt that just zipped by me) is on the loose and being propagated like mad. This would certainly fit with the rumour of a huge DDoS attack in the works, as m@d l33t h@x0rs get as many machines as possible compromised and ready to help the attack.

I have noticed that the large majority of these scans from my address space (216.39.128.0 - 216.39.192.255) are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.

CERT has an advisory up (http://www.cert.org/vul_notes/VN-2000-03.html) about NetBIOS DoS attacks, but these don't seem to be hosing networks, just kind of feeling around.

At Wednesday 02:35 PM 9/27/00, Ben Browning wrote:

I have noticed that the large majority of these scans from my address space (216.39.128.0 - 216.39.192.255) are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.

Hello, Network.VBS, again ? That, or a new variant. If I recall this right, this virus is one of the damn cheapest (and easiest) adaptations of ANY program into a virus I have ever seen. The original is found on your average Win98 machine at C:\windows\samples\wsh\network.vbs It really shows off how crappy network security (and M$'s implementation of 'network functionality') has more todo with spreading viruses than some 30 lines of code amended to an existing program written for entirely different purposes. Making use of Netbios in any form is like poking a whore without a condom: you WILL get burned. And then some. It doesn't even take so many tries.