"Paul D. Robertson" wrote: > > http://www.ciac.org/ciac/W32_BugBear_info.html > [...] > I suspect the worm does a lookup prior to an infection This is _possible_. If the worm prefers logging on with "computername\username" rather than just "username", it would have to get the netbios host name first. I don't see _why_ it'd be doing it; I'm just saying it _could_. > , but I really don't > know- I don't run Windows, so I haven't played with doing NetBIOS stuff > and don't know what the normal programming sequence is for enumerating > shares, and as we don't let customers expose NetBIOS ports at all, this > was never high on my list of things to worry about. I've personally never seen share enumeration being done over port 137. I have only seen it done over 139, and I guess it can be done over port 445 as well. "nbtstat -a computername" however returns a list of "names" associated with the box. This includes: the computer name, the domain/wg name, and the name of the currently logged on user. How this can help a worm, i don't know. Anyway, what I do know is that you don't access shares (infect things) over port 137. This happens over 139/445. My guess would be that ciac got it (the _important_ facts) wrong. I do know for a fact that their recommendations are a bit off; they only recommend to firewall ports 137--139, which is a bit narrow for my taste; it exposes the portmapper (135) as well as port 445. /Mike, off to write a note to ciac about fixing their documentation -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 05:59:19 PDT