New worm in the wild searching samba/windows shares?

Koepi · 1st October 2002, 10:53

Hi,

since it's not video related I'll post here

Since ~3-4 days I can find many netbios-ssn (port 139) connection attempts in our networks from the outside. I know that e.g. Nimda infected windows shares but it never actively scanned the "entire" internet - it just used the "windows neighbourhood" for this.

So this must be some new virus/worm scanning in the wild for potential victim systems.

I don't know if it's a samba exploit or if just windows is affected (I upgraded to latest stable samba 2.2.5 and blocked that port within the firewall additionally to my old smb.conf denying connects from there... just to be "sure"

).

My question is: has anyone further informations about this? I can't find anything on bugtraq or in the emergency-virii-announcements of the antivirii-companies...

Thanks,

regards,
Koepi

Swede · 1st October 2002, 14:49

And there's nothing on cert either. I guess you've already checked http://www.cert.org/current/scanning.html

tanksimpson · 2nd October 2002, 07:54

Koepi, I remember a while back that there were some shady "p2p" mp3/divx search programs that snooped people hard drives for open SMB shares (i.e. without their knowledge/permission). Here is a link I found describing one such program, which went out of business, but I don't doubt that there are others:

http://www.infoworld.com/articles/hn...r.xml?0717mnpm

Maybe the "hits" you are getting on the ports Samba uses are just some snoopware looking for an unprotected Windows share with free music/porn/whatever on it, not necessarily a Samba specific exploit. Fortunately Linux gives you the tools to detect/prevent snoops

auenf · 2nd October 2002, 12:05

dunno about netbios based, but this worm seems to have picked up lately (got 2 today, to different accounts) http://www.sarc.com/avcenter/venc/da...ugbear@mm.html

and it has a backdoor to do quite a bit.

Enf...

Koepi · 5th October 2002, 13:33

http://www.sarc.com/avcenter/venc/da...oval.tool.html

This is the virus I was looking for (and the removal tool).

Finally some info about it

Regards,
Koepi

1st October 2002, 10:53	#1 \| Link
Koepi Moderator Join Date: Oct 2001 Location: Germany Posts: 4,454	New worm in the wild searching samba/windows shares? Hi, since it's not video related I'll post here Since ~3-4 days I can find many netbios-ssn (port 139) connection attempts in our networks from the outside. I know that e.g. Nimda infected windows shares but it never actively scanned the "entire" internet - it just used the "windows neighbourhood" for this. So this must be some new virus/worm scanning in the wild for potential victim systems. I don't know if it's a samba exploit or if just windows is affected (I upgraded to latest stable samba 2.2.5 and blocked that port within the firewall additionally to my old smb.conf denying connects from there... just to be "sure" ). My question is: has anyone further informations about this? I can't find anything on bugtraq or in the emergency-virii-announcements of the antivirii-companies... Thanks, regards, Koepi __________________ Koepi's new media development site

5th October 2002, 13:33	#5 \| Link
Koepi Moderator Join Date: Oct 2001 Location: Germany Posts: 4,454	http://www.sarc.com/avcenter/venc/da...oval.tool.html This is the virus I was looking for (and the removal tool). Finally some info about it Regards, Koepi __________________ Koepi's new media development site

1st October 2002, 14:49	#2 \| Link
Swede Deputy Join Date: Jan 2002 Location: Sthlm, Sweden Posts: 1,453	And there's nothing on cert either. I guess you've already checked http://www.cert.org/current/scanning.html

2nd October 2002, 07:54	#3 \| Link
tanksimpson Registered User Join Date: Nov 2001 Posts: 49	Koepi, I remember a while back that there were some shady "p2p" mp3/divx search programs that snooped people hard drives for open SMB shares (i.e. without their knowledge/permission). Here is a link I found describing one such program, which went out of business, but I don't doubt that there are others: http://www.infoworld.com/articles/hn...r.xml?0717mnpm Maybe the "hits" you are getting on the ports Samba uses are just some snoopware looking for an unprotected Windows share with free music/porn/whatever on it, not necessarily a Samba specific exploit. Fortunately Linux gives you the tools to detect/prevent snoops

2nd October 2002, 12:05	#4 \| Link
auenf avatar doesn't support IE Join Date: Feb 2002 Location: The Great Southland Posts: 2,238	dunno about netbios based, but this worm seems to have picked up lately (got 2 today, to different accounts) http://www.sarc.com/avcenter/venc/da...ugbear@mm.html and it has a backdoor to do quite a bit. Enf...