COMMAND

    CheckBO

SYSTEMS AFFECTED

    CheckBO

PROBLEM

    Auriemma Luigi found following.   CheckBO is a program that  go in
    listening mode on some trojan virus ports (like 12345, 20034, ...)
    and alert the  user when someone  do scanning for  searching virus
    servers.   It  is  a  very  old  program  (last version is 1.56 of
    December 1999) but Luigi has seen  that there are a lot of  people
    that use it for "protecting them".

    Knowing if an host have CheckBO activated is very simple,  because
    if someone want to connect to the ports in listening, CheckBO  try
    to connect  to some  ports of  the attacker  (12345, 514, ...) for
    take  informations,  for  this  the  attacker  can  control on his
    firewall the CheckBO SYN packets.  CheckBO have only an online log
    (activable only with the  authorization) visible on the  web site,
    but it don't allow logs files on the machine.

    CheckBO  when  running  on  Win9x  (NOT  NT/2k) is vulnerable at a
    "flooding"  of  chars  on  its  TCP  ports (only the tcp ports are
    vulnerable, for  this the  attacker CAN'T  spoof his  connection);
    the number of chars must be >= 80000 chars.

    After some CheckBO's  alert windows that  inform the victim  about
    the  attacker  connection,  he  will  receive this Windows's alert
    window:

        Application Error
        Exception ElInvalidOperation in module CHECKBO.EXE at 00026450.
        Text exceeds memo capacity.

    And when the victim close this window, CheckBO kill itself.

    Some examples to reproduce it:

        1) perl -e ' for ($i=1;$i<80000;$i++) { print "A"; } ' | nc <host> <port>
        2) nc <host> <port> 80Kbfile.txt

    CheckBO listen on these vulnerable TCP ports: 54320, 20034, 12345,
    12346, 31337, 31666, 1243, 6713.

SOLUTION

    Nothing yet.