Subj : Bugbear.A virus notes
To : All
From : Mike Luther
Date : Tue Oct 01 2002 09:13 am
An ancient twice-infested OS/2'er has cometh.
As passed down via the virus news, if what it says is correct, the new
Bugbear.A virus could be a problem to OS/2 users based on bitter experience
here in the past.
Per what I have read, it is a reportedly well written Visual C creation which
uses NETBIOS over TCP/IP in a cascaded Port 137 and Port 139 TCP romp to infect
boxes connected to an IP. It is looking for GUEST accounts with no password or
ADMIN rights with no password, both focused on the WIN world earlier mass
installations of NETBIOS in penetratable fashion.
NETBIOS was written specifically to make machines talk files with other
machines over the LAN, as best this pure novice at all this understands it.
That means that if the boxen know NETBIOS standards, it doesn't make any
difference what operating system is involved .... ;)
Per my VERY well documented two runs I took when NIMDA.A first appeared with a
variation on this scenario, an OS/2 box connected in an unprotected way to the
IP world ... *CAN* ... be penetrated. It is possible to at least download
files to the remote OS/2 box. The earlier attacks were able to place at least
one or more files in each and every directory on the hard disk partition found
here .. hundreds of READ.ME and other contaminated files appeared here when
this erupted. The infector box in this case was a neighboring box on the COX
cable modem network here.
The current new virus variation is reportedly also using the Port 137/138 and
thence TCP use of Port 139 to pentetrate boxen with a GUEST account with no
password or other way of ADMIN use of boxes with such permissions with no
password protection. That's the default, as I think I learned, for most of the
early WIN world. Apparently the creator wants to prove that most WIN boxen are
still un-fixed and un-protected for safe hex.
Our OS/2 world also has that possibility in the standard installations for
boxen with GUEST user accounts in that there is no default password installed
for them either. Based on the research for the two earlier runs which infected
my box twice with tons of files, I have some question about the GUEST and no
password in that GUEST in this case *WAS* passworded... However, I wasn't
informed enough and waiting with the IP trace tools to catch the first
penetration traffic so we could study that claim. Nor do I care to be a honey
pot bee for this either with all else I've got to do.
If what I read is correct, this new one raises another very well able to
pentrate your box deal, if you have NETBIOS over TCP/IP intalled on your
connected machine. It is especially important, one would think, if you have
left a GUEST account in there with no password. That's the default for at
least PEER installation in OS/2.
I've since, somewhat wiser, I hope, gone to a better command over what Port
137/138 and Port 139 can do on my connected boxen, regardless of what GUEST(s)
are or are not allowed in my OS/2 hotel.
Those of you who haven't thought about this may ought to. Sure, the installed
junk can't run on OS/2 at this point. But cleaning up the mess it leaves does
take a virus help utility. I ASSURE you, twice my NORMAN which has been here
in use all this time got a real workout.
Since upgrading to NORMAN 5.2(Now 10), I suspect it would have caught this
on-line, but I ain't seen no evidence of that behind the new XyXel I installed
ahead of everything as well .. after the first rounds.
Samuel Taylor (perhaps on Laudenum, grin) said it best?
"A sadder but a wiser man he woke the morrow morn."
Both my two earlier experiences with NIMDA.A came while the below was very much
happening.. with NETBIOS over TCP/IP...
--> Sleep well; OS/2's still awake! ;)
Mike @ 1:117/3001
--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)
