OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) prob eactivity
From: Dan Schrader (Dan_SchraderTRENDMICRO.COM)
Date: Wed Mar 29 2000 - 13:20:57 CST

A description of the worm can be found at:

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_NETLOG.WO
RM

Dan Schrader
Trend Micro
http://www.antivirus.com
-----Original Message-----
From: Stephen Friedl
To: INCIDENTSSECURITYFOCUS.COM
Sent: 3/28/00 10:16 PM
Subject: Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)
probeactivity

> I too have seen this behavior. I block them at my firewall, but the
> numbers have dramatically increased for port 137 scans that hit every
> IP# in my micro net address range. Before Feb I'd see one a month at
> most.

This looks to me like the NETWORK.VBS worm. This propogates onto a
machine, and then sits and tries to infect random class Cs by looking
for shared C drives with no passwords. The scans are not terribly
fast -- takes several minutes to scan the full class C -- and you can
nearly always visit the machine and remove the virus yourself.

> Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78
S=0x00

        $ nbtscan -f 204.210.104.156
        204.210.104.156 FUN\ANDRE SHARING
          ANDRE <00> UNIQUE Workstation Service
          FUN <00> GROUP Domain Name
          ANDRE <03> UNIQUE Messenger Service<3>
          ANDRE <20> UNIQUE File Server Service
          FUN <1e> GROUP Browser Service Elections
          FUN <1d> UNIQUE Master Browser
          ..__MSBROWSE__.<01> GROUP Master Browser
          00:80:c6:f8:ec:3c ETHER

If you visit their C drive, you'll find NETWORK.VBS in the root dir,
\WINDOWS, and in the startup folder. My practice of late has been to
remove
these files and drop an "INFECTED.TXT" text file on their desktop and in
their startup folder to suggest that they stop sharing their drives, put
on a password, or get a real firewall.

> This is a set from two sites very nicely meshed (Are they
> racing each other?):
>
> Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
...
> Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
...

This is almost certainly a dual-homed machine that sends a packet from
each interface. The 200.200.200.1 address is probably a poorly-chosen
"internal" network number.

Steve 

---
Stephen J Friedl|Software Consultant|Tustin, CA|  +1 714 544-6561
3B2-kind-of-guy |I speak for me only|  KA8CMY  |steveunixwiz.net