What Is A "Weak Network Share"

  • Thread starter Thread starter Will James
  • Start date Start date
W

Will James

We have a virus (acutally a worm) running around the office and one of the
symptoms is it sends print job after print job to shared printers.

(We use Windows 2000 OS)

We have McAfee running on all our machines, but there must be a rogue
machine somewhere.

Until we find it, our printers are pretty much out of commission unless we
disable sharing and print from just one person's machine.

The Mcafee website says that the worm exploits "weak network shares."

What the heck is a weak network share?

I have removed "Everyone" from the permissions on the shared printers, and
used explicit user names instead. No luck.

I have also changed every user's password. No luck.

So what is a weak network share, and how do I share a printer with a
"strong" network share?

Thanks
 
Sounds like the BugBear.
W32/Bugbear@MM -- http://vil.nai.com/vil/content/v_99728.htm

It will shutdown traditional AV software so you want to use McAfee/AVERT Stinger for
erradication:
Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

The BugBear has multiple modes of infection. One is via NT Shares that are NOT setup
properly. That is the shares use passwords that are easily cracked, hacked and used. For
exple, if the administrator account has NOT been renamed from "administrator" and uses the
password "admin" then the \\machine\admin$ or \\machine\c$ is EASILY infected.

I also dissuade you from having "File and Print shares" enabled on all workstations UNLESS
you follow the below password criteria.

I also suggest the use of HP Jetdirect Print Servers on *ALL* network printers. This way
the users print to the IP Address of the printer and not to a NT Print Share and NO "File
and Print shares" are enabled except on NT Servers.

I suggest the following rules for passwords:

10 characters minimum --
2 - upper case { A, B, C, D, etc }
2 - lower case { a, b, c, d, etc }
2 - numbers { 1, 2, 3, 4, etc }
2 - special characters { $, %, *, !, etc }

What version of Mcafee software are you using ? (e.g, VrusScan Enterprise v7.1)

What ENGINE version ?

What DAT revision ?

--
Dave




| We have a virus (acutally a worm) running around the office and one of the
| symptoms is it sends print job after print job to shared printers.
|
| (We use Windows 2000 OS)
|
| We have McAfee running on all our machines, but there must be a rogue
| machine somewhere.
|
| Until we find it, our printers are pretty much out of commission unless we
| disable sharing and print from just one person's machine.
|
| The Mcafee website says that the worm exploits "weak network shares."
|
| What the heck is a weak network share?
|
| I have removed "Everyone" from the permissions on the shared printers, and
| used explicit user names instead. No luck.
|
| I have also changed every user's password. No luck.
|
| So what is a weak network share, and how do I share a printer with a
| "strong" network share?
|
| Thanks
|
|
 
We have a virus (acutally a worm) running around the office and one of the
symptoms is it sends print job after print job to shared printers.

(We use Windows 2000 OS)

We have McAfee running on all our machines, but there must be a rogue
machine somewhere.

Until we find it, our printers are pretty much out of commission unless we
disable sharing and print from just one person's machine.

The Mcafee website says that the worm exploits "weak network shares."

What the heck is a weak network share?

I have removed "Everyone" from the permissions on the shared printers, and
used explicit user names instead. No luck.

I have also changed every user's password. No luck.

So what is a weak network share, and how do I share a printer with a
"strong" network share?

Thanks
Click to expand...
****************** REPLY SEPARATER *****************
A weak network share is one with no password or a password that is easy to
guess. No shared resourse should be operated without a "stong" password. XP is
worse than 2000 in that it promotes "simple networking" without passwords.
Since you used the terminology "shared printer", we must presume that these are
locally connected printers shared on the network. On NT syle operating systems,
in order to use a shared printer on the network, you simply have to have an
existing connection to a shared directory on that particular machine. In order
to accomplish that, your UserID and Passord must be in the SAM database on that
machine. When attempting to establish the connection, if your logged in
password on your machine is different than the password on the shared machine,
you will be prompted for the password.

This is basic network security.

J.A. Coutts
 
A weak network share is one with no password or a password that is easy to
guess. No shared resourse should be operated without a "stong" password. XP is
worse than 2000 in that it promotes "simple networking" without passwords.
Click to expand...


Since Shares don't usually have their own passwords
on NT class machines, you probably mean one that
allows printing from any such account, e.g., that
allow "Everyone Print" permissions.

I would however include 9x shares that had no password
within that definition.

This will not however matter if the virus in running in
the context of an Authenticated User who has permissions
to print.

One approach might be to turn on auditing on the Printer,
(and also as a general Object Auditing on the server.)

At least then, if securing the printer doesn't work you will
know "who" printed each job.
 
We had something similar. A guy from outside (remote salesman) infected our
system with BUGBEAR Virus or Worm or whatever it is. We had to download a
CD Rom version of fixes on all internal machines.... (This guy called in
with AOL dialup) and sent us infected Word and Excel files.
 
Anon y mous said:
...A guy from outside (remote salesman) infected our
.... (This guy called in
with AOL dialup) and sent us infected Word and Excel files.
Click to expand...

How do you know that (for sure)?

Just curious...
 
He was a sales guy for us. we traced the virus to a spreadsheet he shared
with a couple of people and our MIS guy tracked down all the infected
computers in very short order with this information.
 
Back
Top