Subj : Bugbear.A virus notes To : All From : Mike Luther Date : Tue Oct 01 2002 09:13 am An ancient twice-infested OS/2'er has cometh. As passed down via the virus news, if what it says is correct, the new Bugbear.A virus could be a problem to OS/2 users based on bitter experience here in the past. Per what I have read, it is a reportedly well written Visual C creation which uses NETBIOS over TCP/IP in a cascaded Port 137 and Port 139 TCP romp to infect boxes connected to an IP. It is looking for GUEST accounts with no password or ADMIN rights with no password, both focused on the WIN world earlier mass installations of NETBIOS in penetratable fashion. NETBIOS was written specifically to make machines talk files with other machines over the LAN, as best this pure novice at all this understands it. That means that if the boxen know NETBIOS standards, it doesn't make any difference what operating system is involved .... ;) Per my VERY well documented two runs I took when NIMDA.A first appeared with a variation on this scenario, an OS/2 box connected in an unprotected way to the IP world ... *CAN* ... be penetrated. It is possible to at least download files to the remote OS/2 box. The earlier attacks were able to place at least one or more files in each and every directory on the hard disk partition found here .. hundreds of READ.ME and other contaminated files appeared here when this erupted. The infector box in this case was a neighboring box on the COX cable modem network here. The current new virus variation is reportedly also using the Port 137/138 and thence TCP use of Port 139 to pentetrate boxen with a GUEST account with no password or other way of ADMIN use of boxes with such permissions with no password protection. That's the default, as I think I learned, for most of the early WIN world. Apparently the creator wants to prove that most WIN boxen are still un-fixed and un-protected for safe hex. Our OS/2 world also has that possibility in the standard installations for boxen with GUEST user accounts in that there is no default password installed for them either. Based on the research for the two earlier runs which infected my box twice with tons of files, I have some question about the GUEST and no password in that GUEST in this case *WAS* passworded... However, I wasn't informed enough and waiting with the IP trace tools to catch the first penetration traffic so we could study that claim. Nor do I care to be a honey pot bee for this either with all else I've got to do. If what I read is correct, this new one raises another very well able to pentrate your box deal, if you have NETBIOS over TCP/IP intalled on your connected machine. It is especially important, one would think, if you have left a GUEST account in there with no password. That's the default for at least PEER installation in OS/2. I've since, somewhat wiser, I hope, gone to a better command over what Port 137/138 and Port 139 can do on my connected boxen, regardless of what GUEST(s) are or are not allowed in my OS/2 hotel. Those of you who haven't thought about this may ought to. Sure, the installed junk can't run on OS/2 at this point. But cleaning up the mess it leaves does take a virus help utility. I ASSURE you, twice my NORMAN which has been here in use all this time got a real workout. Since upgrading to NORMAN 5.2(Now 10), I suspect it would have caught this on-line, but I ain't seen no evidence of that behind the new XyXel I installed ahead of everything as well .. after the first rounds. Samuel Taylor (perhaps on Laudenum, grin) said it best? "A sadder but a wiser man he woke the morrow morn." Both my two earlier experiences with NIMDA.A came while the below was very much happening.. with NETBIOS over TCP/IP... --> Sleep well; OS/2's still awake! ;) Mike @ 1:117/3001 --- Maximus/2 3.01 * Origin: Ziplog Public Port (1:117/3001) .