On Sun, 13 Oct 2002, Mikael Olsson wrote: > Hmm. I would have thought that bugbear & co would result in port > 139 (nbsession) activity. Yep, that's probably right, but the first reference I pulled up this morning said: "Spreads via e-mail and/or network shares using port 137." http://www.ciac.org/ciac/W32_BugBear_info.html I don't know if that means (A) the 137 lookups happen prior to a 139 infection, (B) there is a 137 overflow and it's got something to do with having a share available, or (C) They're wrong. I suspect the worm does a lookup prior to an infection, but I really don't know- I don't run Windows, so I haven't played with doing NetBIOS stuff and don't know what the normal programming sequence is for enumerating shares, and as we don't let customers expose NetBIOS ports at all, this was never high on my list of things to worry about. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 05:33:09 PDT