A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows 98 » General
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

Can WannaCrypt infect a Windows 98 system



 
 
Thread Tools Display Modes
  #1  
Old May 17th 17, 05:37 AM posted to microsoft.public.windowsxp.general,microsoft.public.win98.gen_discussion
[email protected]
external usenet poster
 
Posts: 25
Default Can WannaCrypt infect a Windows 98 system

I've only heard it can infect Windows XP and newer versions of Windows.
What about Win98, or Win95, WinME, or Windows 2000?

Anyone know?

  #2  
Old May 17th 17, 08:55 AM posted to microsoft.public.win98.gen_discussion
Lee
External Usenet User
 
Posts: 196
Default Can WannaCrypt infect a Windows 98 system

On Tuesday, May 16, 2017 at 11:40:06 PM UTC-6, wrote:
I've only heard it can infect Windows XP and newer versions of Windows.
What about Win98, or Win95, WinME, or Windows 2000?

Anyone know?


It uses a process that 98 is using for file sharing across networks (SMBv1) in order to install itself which doesn't look good. MS did release an update for XP SP3 but no earlier windows. Quick fix for newer windows is to disable SMBv1, but it's all we got for 98 networking.

Short answer - no, I don't see where we are 'safe', not yet at least.
  #3  
Old May 17th 17, 01:17 PM posted to microsoft.public.windowsxp.general,microsoft.public.win98.gen_discussion
Paul[_6_]
external usenet poster
 
Posts: 41
Default Can WannaCrypt infect a Windows 98 system

wrote:
I've only heard it can infect Windows XP and newer versions of Windows.
What about Win98, or Win95, WinME, or Windows 2000?

Anyone know?


There's the bulletin, but it's not going to
care about older OSes. Notice that Microsoft has patched
WinXP, but it doesn't get an entry here (because WinXP is
out of support). I don't know whether WePOS would be documented
in one of these or not.

https://technet.microsoft.com/en-us/.../ms17-010.aspx

*******

https://www.reddit.com/r/sysadmin/co...ut_that_scans/

Of which one tool is listed as:

https://github.com/topranks/MS17-010_SUBNET

You can then open the Python source for a look. This is
so you can review how they're testing.

https://github.com/topranks/MS17-010...mb_ms17_010.py

Note the mis-spellings in the source. And we all know
what that means. Needs a spell checker :-)

The source appears to be crafting a DoublePulsar exploit of
sorts and looking for a characteristic response. So my
presumption is, that test does *more* than just check
for an open port 445, it actually attempts to use the
vulnerability in some way. Which in theory could tell
you if a Win98 box was vulnerable.

The hardest part of using Python, is sorting out the
versions. I'm not a Python jockey and cannot guess
whether that'll run on some other version of Python
you happen to have.

So that program would appear to be tickling each system
in the appropriate spot, rather than just checking
whether port 445 is open.

You can also try "DoublePulsar smbv1" in a Google search,
but be careful with what turns up. Using a scanning tool
that scans from the *WAN* side of your LAN, doesn't tell
much of a story (can't punch through your stateful IPv4
NAT router). You want to scan the LAN side. Like use
one of your LAN machines, to check the rest of them. Perhaps
you can scan the scanning machine itself using 127.0.0.1
as the IP address ? That's if you don't want to have to
set up Python on a second machine.

*******

OK, I did the best I could to test it.

+-------------------+ +---------------------------------------
| WinXP Host | --- | LinuxMint 18.1 scanning machine
| 192.168.2.100 | | python2 smb_ms17_010.py 127.0.0.1
| | python2 smb_ms17_010.py 192.168.2.100
| +--------------+ | python2 smb_ms17_010.py 192.168.2.110
| | VPC2007
| | Win98SE
| | Guest
| | 192.168.2.110

This is the result:

https://s3.postimg.org/v6jnzsj9f/scan.gif

127.0.0.1 Errno 111 Connection refused (Linux scans itself, Samba server
not running on default LiveCD bootup
so port 445 is not open.)

192.168.2.100 VULNERABLE (Windows 5.1) (An unpatched WinXP SP3 machine)

192.168.2.110 Errno 111 Connection refused (The Win98SE virtual machine)

I tested the Win98SE VM twice. The first call was
before the Linux box *mounted* the Win98SE share.
The second call was after the Win98SE share
was successfully mounted (presumably by SMBv1
protocol). So while SMB seemed to be working
from the Linux test machine to the Win98SE serving
side, the DoublePulsar test didn't trip off.

That's not a definitive test (because the Win98SE
was inside a VM, and you could argue "it's not the same"),
but I was able to mount the share the Win98SE machine
provides to the world. That share is completely
insecure by the way. The MINT machine doesn't even
present a password box when it touches that. If the
MINT (test) machine tries for a share on WinXP,
the usual boring password box appears, and I have
to log in.

For the exploit to work, the password doesn't matter.
WinXP SP3 could be tipped over, with the right payload
sent. That's what VULNERABLE means. If WannaCrypt gets
loose in my LAN, the WinXP SP3 machine could get "wormed".
I removed the WinXP patch on purpose (4012598). For the
Win98SE machine to get tipped over, some better
code would be needed at a guess. You can never really
be sure how many vulnerabilities are out there, and
this one test doesn't prove Win98 is "bulletproof",
merely "inconvenient to attack". So maybe we can
rate Win98 as "security by obscurity". Only Microsoft
knows the true situation, and they don't really have
an incentive to even speak the word "Win98" any more.

Paul

  #6  
Old May 18th 17, 12:45 AM posted to microsoft.public.win98.gen_discussion
J. P. Gilliver (John)[_2_]
external usenet poster
 
Posts: 54
Default Can WannaCrypt infect a Windows 98 system

In message , Lee
writes:
On Tuesday, May 16, 2017 at 11:40:06 PM UTC-6, wrote:
I've only heard it can infect Windows XP and newer versions of Windows.
What about Win98, or Win95, WinME, or Windows 2000?

Anyone know?


It uses a process that 98 is using for file sharing across networks
(SMBv1) in order to install itself which doesn't look good. MS did
release an update for XP SP3 but no earlier windows. Quick fix for


Doesn't help here, but ISTR seeing XP SP2 mentioned.

newer windows is to disable SMBv1, but it's all we got for 98
networking.

Short answer - no, I don't see where we are 'safe', not yet at least.


--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

I remember a lot of questions on a vocalist forum about the problems singing
"There is a balm in Gilead" without making it sound like a security alert. -
Linda Fox in UMRA, 2010-11-19
  #7  
Old May 18th 17, 12:49 AM posted to microsoft.public.windowsxp.general,microsoft.public.win98.gen_discussion,alt.os.linux
Paul[_6_]
external usenet poster
 
Posts: 41
Default Can WannaCrypt infect a Windows 98 system

J.O. Aho wrote:
On 05/17/17 22:27, Good Guy wrote:
On 17/05/2017 05:37, wrote:
I've only heard it can infect Windows XP and newer versions of Windows.
What about Win98, or Win95, WinME, or Windows 2000?

Anyone know?

No because Windows 98 users are likely to be very poor using their
system to pass time. It is never interesting to hack their system
because you won't find anything of interest and you won't get any
publicity for doing so.


This shows how stupid microsoft users who got hit by wannacry are. Of
course it affects ms-windows 98, it affects all versions which supports
smb version 1.


For some reason, the emulation of DoublePulsar written
in Python, cannot contact a Win98SE machine. Yes, the Mint
machine in question, was able to mount the share that sits
on the Win98SE machine. The second attempt to reach node 110
(the Win98SE machine), still fails to connect, even though
port 445 has been proven to work at that point in time.
(The share is mounted between the first and second test
to 110.)

https://s3.postimg.org/v6jnzsj9f/scan.gif

The machine at 100, a WinXP Sp3 machine (where the patch
was removed), reports VULNERABLE when scanned.

I don't consider this test to be all that comforting,
and provided it as some evidence we *do* occasionally
check this stuff. For *fun* of course. The odds of
me actually getting WannaCrypt, are roughly the previous
odds of me getting Locky. A little Safe Hex goes a long way.

Safe Hex is difficult to teach. I've tried a few times,
and there are people who continue to "click everything"
and keep coming back to newsgroups, infected. Most of the
time, the infection is just adware, but it's still a bad
sign that it's one infection after another. And that's
*with* a number of products, an AV product, malwarebytes realtime,
Adwcleaner and a few others. So if you cannot practice
Safe Hex, there is no combination of products that seems
to be able to keep you safe. It turns out, Safe Hex is
a "premium" product and worth every penny.

Paul
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
System Restore & Windows ME System Recovery Cds :(:(:( izzattar Hardware 7 December 9th 06 08:45 AM
Windows 98SE KB891711 Component altered Windows system files. JJ Software & Applications 1 December 31st 05 01:58 PM
SYSTEM.INI file C:WINDOWS\SYSTEM\vshinit.vxd needs to be replaced kristen10ten General 2 November 3rd 05 02:32 AM
Windows KB891711 component has altered Windows system files AMEN General 1 November 1st 05 03:39 PM
How to change Windows 98 Help System to English in a dual/language(Thai/English) system Jeffrey Race General 1 October 6th 04 09:34 AM


All times are GMT +1. The time now is 08:48 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.