WinNuke Denial of Service Attack

The information on this page may be obsolete. For the current documentation, please log into the mySAINT portal using your customer login and password. CVE 1999-0153

Description of WinNuke

This DoS attack affects Windows 95, NT and 3.11 machines.

The WinNuke attack sends OOB (Out-of-Band) data to an IP address of a Windows machine connected to a network and/or Internet. Usually, the WinNuke program connects via port 139, but other ports are vulnerable if they are open. When a Windows machine receives the out-of-band data, it is unable to handle it and exhibits odd behavior, ranging from a lost Internet connection to a system crash (resulting in the infamous Blue Screen of Death).

Symptoms of Attack

As discussed earlier, when a Windows machine is subjected to this attack, it will most likely disconnect from the network or Internet. In most cases, the machine will crash and the user will see the blue screen which indicates that the machine is in panic mode. In almost all cases, machines subjected to the WinNuke attack will not sustain permanent damage, and a simple reboot will suffice to recover from an attack. Any unsaved data in open applications, though, will almost certainly be lost.

How can I fix this vulnerability?

The fix for this vulnerability is to install a patch. Patches are available for Windows 95 and Windows NT 3.51/4.0. Unfortunately, no fix is available for Windows 3.11 machines at this time. There is, however, a workaround. To apply the workaround, first exit Windows, and, at the DOS prompt, enter the windows\system directory and then rename the file vnbt.386 (rename it so that you'll be able to find it later. Try renaming it to vnbt.old or something similar.) Next, reboot the machine and restart Windows. You will receive an error message from Windows, but this will not harm the system. It should be noted that while this fix will make a Windows 3.11 machine invulnerable to the WinNuke attack, it will disable file sharing. If file sharing is needed in the future, simply rename vnbt.386 back to its original name and reboot the machine.

Where can I read more about this?

The WinNuke attack has been fairly well documented, and there are several sources of information available on the Web which offer helpful information. These include Microsoft's Out-of-Band Attacks page, IRChelp and Windows Central.

To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft Security Advisor, the Windows Central Bug Site, and/or CERT. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.