[Full-Disclosure] Worm side effects

["Geo." <geoincidents@getinfo.org>]

The nachia/welchia worm that is doing all the icmp traffic uses 92 byte ping
packets, a rather unusual size which makes it easy to filter them without
blocking all icmp traffic. It took me a while but I think I figured out why
92 byte echo requests.

Because of this worm everyone is now blocking 92 byte imcp packets because
they cause an arp storm and crash network devices like Max TNT dialup boxes
that many ISP's use when the worm starts scanning a class C block. It's a
real problem.

I think I know why the worm used 92 byte icmp echos. Windows tracert command
(traceroute) also uses 92 byte icmp echo packets. Filtering the worm breaks
windows command line tracert plus samspade traceroute and any others that
use the built in windows function. Doing a traceroute from a dialup box or
router still seems to work fine and it probably works fine for unix as well
although I haven't tested that.

Guess it's possible the author figured nobody would be willing to break
windows in order
to stop what he thought would be a harmless worm, turns out he miscalculated
both.

So what the world needs now is a replacement for tracert.exe so that windows
users can once again do traceroutes. Microsoft, are you listening?

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html