OOB NUKE on Win 3.11 with Win32s too !! (Re: WINNUKE)

Tjerk Vonck (t.r.vonck@STUDENT.UTWENTE.NL)
Mon, 12 May 1997 22:29:27 +0200

[sorry for the massive to: 's ..I didnt know the proper addresses and I
think this should be known to the world]

(* Problem on Win 3.11 described and fix provided *)

At 15:14 12-5-1997 -0400, people wrote:
>>It is possible to remotely cause denial of service to any windows
>>95/NT user. It is done by sending OOB [Out Of Band] data to an
>>established connection you have with a windows user. NetBIOS [139] seems
>>to be the most effective since this is a part of windows. Apparently
>>windows doesn't know how to handle OOB, so it panics and crazy things
>>happen. I have heard reports of everything from windows dropping carrier
>>to the entire screen turning white. Windows also sometimes has trouble
>>handling anything on a network at all after an attack like this. A
>>reboot fixes whatever damage this causes. Code follows.

All reports speak of Windows95 and winNT but Win3.11 with Win32s is affected
too !! I was on Win3.11 instead of Win95 to escape this bug today but got
crashed on the fly by others. I get dropped back into the DOS prompt as soon
as people do the OOB trick on me. This is easily and always reproducable.
(Aint IRC a funny shooting range)

My system :
Win 3.11
Win32s
MS TCP/IP32 (the 32 bit TCP stack Microsoft made for win 3.11)

I'm on a LAN; a direct Internet connection. No modem or other interfaces or
stacks are involved. I only have this TCP/IP stack installed. No Netbeui
protocols or anything else.

--------- FIX (provided by Sully) ---------------------
I found this fix similar to one of the Windows 95 Fixes. It sems to work
properly.

1. Leave windows 3.11
2.In DOS go to the c:\windows\system directory
3.Find the file named vnbt.386
4.Rename the file to vnbt.bak
5.Reboot your PC and start Windows 3.11

This will disable file sharing and probably other Win3.11 funtionality but
doesnt -really- harm your system. It -will- result in an error on startup of
win3.11 but this can simply be ignored pending a more permanent fix
Microsoft should provide.
In the event that problems are experienced or when you really need
filesharing, simply rename the file vnbt.bak back to vnbt.386
-----------------------------------

It is not only Windows95/NT; are you aware of this ? Is MS aware of this ?
Please investigate this and/or add this to your reports ?!

Tjerk Vonck.