Subj : Bugbear.A virus notes To : MIKE LUTHER From : MIKE RUSKAI Date : Mon Oct 14 2002 11:06 pm Mike Luther saw fit to emit the following to Mike Ruskai on 10-14-02 08:42 about Bugbear.A virus notes... ML> But in this case, Mike .. MR> The GUEST account has no access to any shares in OS/2 MR> unless you explicitly MR> grant it access. In other words, there's no MR> vulnerability unless you take MR> specific actions to create one. ML> I used GUEST ... with a password. It was used for planned access, but ML> passworded. In theory, it shouldn't have been compromiseable but ML> somehow was. I only got two passes at this to research. The first one ML> was complete surprise. The second one I missed just the very start of ML> the attack with the trace, so we didn't learn exactly what the first ML> few packets were like, ML> It would have been nice to know exactly where the hole was. But with ML> time so fleeting and no spare equipment to set up a 'pot', I opted to ML> just get rid of Netbios over TCP/IP that wasn't needed on the box at ML> that point. ML> If you have any theory on how this might have taken place passworded, ML> I'd like to know your thoughts. Several others spent a good period of ML> research time looking at the packet trace and so on. Far more informed ML> that I'll ever be at networking. They came away puzzled as well in ML> that there appeared to be no PW crack run or whatever associated with ML> the incidents. ML> One other part of the puzzle might be useful. In this case the ML> passworded GUEST account had been used prior to the attack(s). I'm not ML> sure about what the status of the connection being active at these ML> starting point, whether the share was actually in use or not. All I can think of, without knowing the details, is that you left the password as optional (which is the default for the user GUEST). Overall, I'd say GUEST should remain a no-password account, and given rights appropriate for that lack of security. If you want a password-protected user account, create one. Mike Ruskai thanny@netcarrier.com .... A cat will always sit on whatever it is you're trying to read or copy. ___ Blue Wave/QWK v2.20 --- Platinum Xpress/Win/WINServer v3.0pr5 * Origin: FidoTel & QWK on the Web! www.fidotel.com (1:275/311) .