Subj : Bugbear.A virus notes
To   : David Noon
From : Mike Luther
Date : Fri Oct 04 2002 12:40 am

Yes Dave..

DN> According to that report, the virus requires M$ Lookout (or a user who
DN> is as brain-dead as Lookout) to be activated, as it is
DN> transported as a mail attachment. The mail message is
DN> the Trojan, I suppose. The size of the executable
DN> attachment is always 50,688 bytes. [A "virus" the size
DN> of an elephant!]

DN> Unless you are running Lookout, there should be no
DN> real threat to an OS/2 box. [Assuming the BBC is
DN> correct.]

I understand that the virus cannot be ACTIVATED.  What I also saw with this
same port 137 and 139 port ramp up with NIMDA.A here is different, in a way.
The inbound probes to look for a penetratable box on the port 137/139 sequence
*CAN* result in dropping file onto the OS/2 box from afar *IF* the NETBIOS over
OS/2 protocol is installed on the system and *IF* the initial probe is able to
establish how to write to a shared resource on it.

I absolutely agree that the virus cannot, as we understand it is recorded to
operate, execute on the OS/2 box at all.

The point is that NIMDA.A, a similar sort of approach, before the entire attack
profile of the creation was propagated, *WAS* able to download READ.ME and so
on actually into the OS/2 box into various directories.

The fact that it is transported as a mail attachment isn't all of the story as
in the above.  George Vandervort's Fido post for his protective vendor outlined
more of the story than is noted by either you or Peter.  It was the one which
made the comparison on the Port 137/139 Netbios access method and the previous
NIMDA.A use of the same techniques.

In that I've personally seen that approach compromise an OS/2 only box to the
extent that it loaded the required files remotely onto it not once but twice, I
posted the original message.

I've further seen this same approach here, when the penetration attempt also
adds JAVA to the messaging mechanism, actually start a message window in an
attempt on an OS/2 box to execute the Trojan.  But of course, the Trojan won't
run in OS/2.  The way the loaded message deal works is that the screen
placement for the pure white 'empty' box for that message is made very tiny in
size.  In this case, it was deliberately skewed down to the very lower right
corner of my OS/2 desktop.  Only the tiny upper left hand corner of the bogus
message opening JAVA attempt could be seen, the little close me box button you
usually see to close the window.  It simply got stuck there,in that it couldn't
execute the payload.  But it was able to TRY to do so,even in OS/2.

If you will think a little bit about the possibility of being able to even just
upload a file to any OS/2 box, it ought to give you pause to ponder. At that
point any executable which will execute in DOS can be a problem, or any in
OS/2, or any FAMILY mode program as well.   OS/2 is not at all free of
potential problems under this approach.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.