North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Port 139 scans
At Wednesday 02:35 PM 9/27/00, Ben Browning wrote: >I have noticed that the large majority of these scans from my address space (184.108.40.206 - 220.127.116.11) are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far. Hello, Network.VBS, again ? That, or a new variant. If I recall this right, this virus is one of the damn cheapest (and easiest) adaptations of ANY program into a virus I have ever seen. The original is found on your average Win98 machine at C:\windows\samples\wsh\network.vbs It really shows off how crappy network security (and M$'s implementation of 'network functionality') has more todo with spreading viruses than some 30 lines of code amended to an existing program written for entirely different purposes. Making use of Netbios in any form is like poking a whore without a condom: you WILL get burned. And then some. It doesn't even take so many tries.