Subj : Bugbear.A virus notes
To   : David Noon
From : Mike Luther
Date : Fri Oct 04 2002 12:40 am

Yes Dave..

 DN> According to that report, the virus requires M$ Lookout (or a user who 
 DN> is as brain-dead as Lookout) to be activated, as it is 
 DN> transported as a mail attachment. The mail message is 
 DN> the Trojan, I suppose. The size of the executable 
 DN> attachment is always 50,688 bytes. [A "virus" the size 
 DN> of an elephant!]

 DN> Unless you are running Lookout, there should be no 
 DN> real threat to an OS/2 box. [Assuming the BBC is 
 DN> correct.]

I understand that the virus cannot be ACTIVATED.  What I also saw with this 
same port 137 and 139 port ramp up with NIMDA.A here is different, in a way. 
The inbound probes to look for a penetratable box on the port 137/139 sequence 
*CAN* result in dropping file onto the OS/2 box from afar *IF* the NETBIOS over 
OS/2 protocol is installed on the system and *IF* the initial probe is able to 
establish how to write to a shared resource on it.

I absolutely agree that the virus cannot, as we understand it is recorded to 
operate, execute on the OS/2 box at all.

The point is that NIMDA.A, a similar sort of approach, before the entire attack 
profile of the creation was propagated, *WAS* able to download READ.ME and so 
on actually into the OS/2 box into various directories.

The fact that it is transported as a mail attachment isn't all of the story as 
in the above.  George Vandervort's Fido post for his protective vendor outlined 
more of the story than is noted by either you or Peter.  It was the one which 
made the comparison on the Port 137/139 Netbios access method and the previous 
NIMDA.A use of the same techniques.

In that I've personally seen that approach compromise an OS/2 only box to the 
extent that it loaded the required files remotely onto it not once but twice, I 
posted the original message.

I've further seen this same approach here, when the penetration attempt also 
adds JAVA to the messaging mechanism, actually start a message window in an 
attempt on an OS/2 box to execute the Trojan.  But of course, the Trojan won't 
run in OS/2.  The way the loaded message deal works is that the screen 
placement for the pure white 'empty' box for that message is made very tiny in 
size.  In this case, it was deliberately skewed down to the very lower right 
corner of my OS/2 desktop.  Only the tiny upper left hand corner of the bogus 
message opening JAVA attempt could be seen, the little close me box button you 
usually see to close the window.  It simply got stuck there,in that it couldn't 
execute the payload.  But it was able to TRY to do so,even in OS/2.

If you will think a little bit about the possibility of being able to even just 
upload a file to any OS/2 box, it ought to give you pause to ponder. At that 
point any executable which will execute in DOS can be a problem, or any in 
OS/2, or any FAMILY mode program as well.   OS/2 is not at all free of 
potential problems under this approach.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.