COMMAND

    winnuke2

SYSTEMS AFFECTED

    Win 9.x, NT 3.51, 4.0

PROBLEM

    Teri Bidwell posted interesting text about DoS attack tool at:

        http://www.angelfire.com/wa/nuke2kill/

    To  those  people  who  still  think  winnuke2  didn't do anything
    to their  systems, please  read on.   After comparing  experiences
    with  two  other  NTSecurity   list  members,  Ryan  Russell   and
    teacher,  Teri  found  that  winnuke2  copies bogus virtual device
    drivers into \windows\system directory on both win95 and NT.  Here
    are the details we know.

    The winnuke2 package comes as a zip containing these files:

        WINNUKE2 ZIP        84,040  04-06-98  6:00p winnuke2.zip
        INETC    DLL        95,969  07-11-95  9:50a inetc.dll
        WINNUKE 2. EXE        56,320  07-20-97  8:14p WinNuke 2.exe
        XCR32    DLL        47,377  07-11-95  9:50a xcr32.dll
        README   TXT           963  07-20-97  8:46p readme.txt

    in  which  the  two  dll's  are  not dynamic libraries, but rather
    virtual network device drivers renamed with the .dll extension. It
    appears that WinNuke 2.exe renames the two .dll's and places  them
    in the c:\windows\system  directory, effectively "unpatching"  any
    system on which the original  files have been updated or  replaced
    or  removed.   Inetc.dll  becomes  vnbt.386  and xcr32.dll becomes
    vtcp.386 on  both win95  and NT3.5.  NT4.0 was  not tested  but is
    expected to have similar results.   If $windir is something  other
    than c:\windows, the files are not copied into the actual  $windir
    directory tree,  but may  appear in  a leftover  c:\windows\system
    directory  from  a  previous  installation  or secondary dual-boot
    installation.

    INETC.DLL is identical  to $windir\system\vnbt.386, and  XCR32.DLL
    is identical to $windir\system\vtcp.386, from a freshly  installed
    and unpatched win95 box.   The compare was done with  fc.exe, byte
    for  byte.    These  two   vdd's  support   netbios  and   tcp/ip,
    respectively, so essentially the network device drivers get rolled
    back to their original unpatched versions.  Quickview reports  the
    dll's are  not dynamic  libraries, but  rather MSDOS  executables,
    similar to other vdd's on win95.

    And laughingly, unlike the original winnuke, remote targets  don't
    appear to be affected in the least.  Great joke on security admins
    everywhere.  So far, only win95 seems to be affected adversely  by
    the driver replacement.  There  have been at least two  reports of
    needing to reformat and reload win95 after the system grinds to  a
    slow  crawl  with  intermittent  GPFs  during the ensuing few days
    after running winnuke2.   There are no  reports that will  confirm
    the same for  NT.  The  winnuke2 executable also  contains symbols
    that are  references to  other files  besides the  vdd's, such  as
    c:\windows\cfg.rmi and  rmi.cfg; therefore,  the potential  exists
    that other files besides the  vdd's are installed by winnuke2  and
    may be involved in  the demise of the  OS.  (These rmi  files were
    found in c:\windows after running the executable).

SOLUTION

    Any  machine  that  has  run  WinNuke  2.exe   should  probably be
    considered  compromised  and  a  candidate for reformat/reinstall.
    At the  very least  you should  reapply any  network hotfixes  and
    clean out suspicious files.  Don't download mentioned program  and
    you'll be safe.