There's a Windows "worm" going around right now thats spreads via open drive shares.
Once it infects a system, it turns drive sharing on, on all drives. It may be QAZ and
variants, I forget the name at the moment, but I have the source code to it laying
around if anyone is interested in looking at it.
Those of you with Intrusion Detection Systems are probably noticing mass amounts of
port 137 (NetBIOS Name Service) scans. This is because tens of thousands of machines
are infected. Our IDS logs are multiple megabytes DAILY, just because of these scans.
Unfortunately, it hasn't gotten much media coverage, so many people are unaware. In my
early investigations of this worm, I even found a middle eastern country's military
workstation that was hit, and had all sorts of probably classified weapons doc files
on it. I also located a massive infection at a local business, and that later led to
me finding out they were "owned" at the NT domain level. Unfortunately, it appeared
that they had only one domain, so that meant everything in multiple countries.
This was last summer, and virus definitions for the particular one I found weren't in
NAV as of June. The worm has been in the wild since at least February. Again, I'm not
sure if it was QAZ or not, but if you want the source, I can dig it up for you. It's
written in VBA, and is very rudimentary and easy to follow.
This just goes to show in the age of point and click, that knowing your systems is a
must. Many so-called firewalls/IDS and antivirus products are minimally useful. You
need to know whats going on, and you need to analyze data. I find all sorts of
interesting activity going on with a packet sniffer that Black Ice and Snort didn't
detect. I mainly use Snort on both UNIX and NT, I like it a lot. Be sure to get the
vision.conf from whitehats.com.
On Tue, Jan 02, 2001 at 09:26:24AM -0800, Rob Hudson wrote:
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to UDP 207.189.137.44:137 from 208.50.149.200:137
> > Connection attempt to TCP 207.189.137.44:113 from 216.116.33.121:3818
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
> > Connection attempt to UDP 207.189.137.44:137 from 207.137.197.33:137
