Re: [fw-wiz] Help w/ Port 137 Traffic

From: Paul D. Robertson (proberts@patriot.net)
Date: 10/13/02


From: "Paul D. Robertson" <proberts@patriot.net>
To: Mikael Olsson <mikael.olsson@clavister.com>
Date: Sun Oct 13 08:13:19 2002

On Sun, 13 Oct 2002, Mikael Olsson wrote:

> Hmm. I would have thought that bugbear & co would result in port
> 139 (nbsession) activity.

Yep, that's probably right, but the first reference I pulled up this
morning said: "Spreads via e-mail and/or network shares using port 137."

http://www.ciac.org/ciac/W32_BugBear_info.html

I don't know if that means (A) the 137 lookups happen prior to a 139
infection, (B) there is a 137 overflow and it's got something to do with
having a share available, or (C) They're wrong.

I suspect the worm does a lookup prior to an infection, but I really don't
know- I don't run Windows, so I haven't played with doing NetBIOS stuff
and don't know what the normal programming sequence is for enumerating
shares, and as we don't let customers expose NetBIOS ports at all, this
was never high on my list of things to worry about.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation