:: 03-Apr-2000 20:44 (Monday) ::
It has come to our attention that a user has been using a derivative of
the back orifice VBScript/open windows share hole to install the
distributed.net client on unsuspecting machines. The basic hole is described
at http://vil.mcafee.com/vil/vbs98477.asp, where the user attaches to an
open share and places the VBScript on the users hard drive for execution
on the next reboot and installs the executable and configuration files.
After infection the trojan attempts to find other insecure machines to
install itself on.
Infections can be verified by looking for a network.vbs and a
microsoft_office.lnk in the Startup folder. The dnetc.exe and dnetc.ini
files will be present in the c:\windows\ directory, and a network.log is
frequently found in the root directory (c:\).
We are still working to track down the user responsible for this act.
Information is still being gathered at this time.
It is against distributed.net policy to install and run the distributed.net
client on machines where authorization has not been given. Please see
http://www.distributed.net/legal/policy.html for our policy concerning
usage of the distributed.net client.
Users should be aware that this attack is not specific to distributed.net.
This attack can be used to install any software on a users workstation,
such as Back Orifice or any other application. This attack depends on
finding machines that have open (no password is set) Windows Network
Neighborhood shares. Users should disable file and printer sharing if
possible, and if not, ensure that all of their shares are password
protected.