The WinNuke Relief Page

Important Note! The information on this page is horribly out of date and is online for historical and informational purposes only. Many of the files and sites linked on this site deal with Windows 95 or earlier operating systems, and installing updates or patches on a modern system can be harmful.

Welcome to..
The WinNuke Relief Page
(Or, "Why WinNuking is Lame")

How to protect your computer in a few easy steps.

By Dan Finkelstein

NEW! Back Orifice info

I. What is WinNuke?

WinNuking is a term for a simple procedure that malicious computer users use on other computer users on the Internet. Effects of this procedure include the victims computer crashing, or loss of their connection to the Internet.

Most people have probably been WinNuked, but have not realized it. If you have ever gone on IRC (Internet Relay Chat), used ICQ, or even been to a webpage, you may have unknowingly given out your IP address, which is all an attacker needs to launch an attack on your computer.

The WinNuking procedure is a very simple one, exploiting a large bug in Windows 95/NT's Networking system. Basically, the program attaches it to port 139 of any Windows 95 computer, and sends "junk" into the port. Also known as an OOB (Out of Bounds) attack, this causes the networking system to bomb, and your computer crashes. While it's unlikely being WinNuked will do anything disastrous to your computer, you are usually forced to restart your computer, or at the least, redial your ISP.

It is hard to determine who first discovered this security hole, but a mysterious individual name "_eci" published his C source code on June 7, 1997. This source code was distributed around the Internet, and Microsoft responded by issuing an fix to the problem a few weeks later.

Yes, there is a fix to protect yourself from being WinNuked. Read On.

II. Why is WinNuking lame?

WinNuking is very lame, for several reasons. First, since it's probably the most well-known flaw in an operating system that many, many people despise (Windows 95), the source code to the program is freely available on the internet. A simple search of "winnuke.c" on Altavista would most certainly turn up the code.

Added to that fact is that WinNuke is very easy to compile and run, requiring only the host name of the computer you wish to crash. You do not need to have root access to run it, so anyone with a Unix account could easily go on a WinNuking rampage.

Probably the funniest WinNuke application I've seen, ran on Windows 95 itself. This program is even easier to use, as the user does not need to compile anything, nor acquire the source code. The person who was using this fun little program, which included a big "NUKE" button along with accompanying sound effects and graphics, did not see the irony of using a Windows 95 program to crash another Windows 95 computer. There are other programs, like mIRC scripts, which will go through an entire IRC channel and nuke everyone.

Are you getting my point? WinNuking is lame. Almost everyone who uses Windows 95 is vulnerable to it. The program requires no skill to acquire or use. If you use WinNuke, or any of the other attacks listed below, and you're not the person who wrote it, you are LAME. If you think you are a "hacker" for being able to kick people off AOL, you are not.

III. Protecting yourself.

Updating Windows 95 to prevent you from being WinNuked is fast and easy. Follow these few steps, and soon you'll be able to surf without fear:

First, download the Windows Sockets Version 3 update file from Microsoft's ftp site. The file is small, and should take a maximum of 5 to 10 minutes to download. If you want, you can save it to a folder on your hard drive (the desktop is a good spot). If you don't know how, simply save it anywhere on your hard drive. We can find the file again after you're done downloading.
- File #1 - msdun13.exe (2.3mb)
  (If you have not downloaded anything from Microsoft before, you may be asked to provide some information about yourself before you can download the file)
If you know the folder you downloaded the file to : Go to "Start", click "Run", and type the folder name (i.e. "c:\temp\"), followed by the file name "msdun13.exe". The file should run and install itself automatically. It may ask for your Windows 95 CD-ROM. After it installs, it will ask if you want to reset your computer. Do so at this time.
If you do not know the folder you downloaded the file to:

Windows NT 3.51 users: Make sure you have Service Pack 5 installed first, then look this patch.

Windows NT 4.0 users: First apply Service Pack 3, then this fix.

Windows 98 users: You don't need to do anything -- Win98 is protected from WinNuke, as well as most of the W95-related attacks listed in Section V.

IV. Can I see who is WinNuking me?

Many people have asked me this question, and here is the answer: Yes, you can use special monitoring software, like NukeNabber, which will "listen" on port 139 for WinNuke attacks. When it detects one, it gives you the attackers IP address. You can compare this with the IP's of the people in a chat room you may be in to see who exactly is attacking you. Remember: many people (myself included) feel the urge to WinNuke this person back. However, if you do this, you're just as lame as the attacker! If the attacks continue, what I recommend is using the "tracert" command to determine the attackers Internet Service Provider. E-mail root@thatisp.net with the time, date, and IP of the attacker.

V. Other Networking Attacks

Despite what some companies would have you believe, there is virtually no piece of hardware or software that is completely bug free. There will always be security holes, and there will always be people who try and exploit them. Listed below are some of the other popular attacks, which, while not exactly the same in function as WinNuke, have virtually the same effects. They deserve the name "attack" because that is what they really are: attempts to crash, or, at the least, impede normal operation of computer hardware or software. Some even effect other, more stable operating systems, such as Linux or other Unix variants. However, they all are lame.:

"Nuking" (nuke.c), not to be confused with WinNuking, has been around for a long time. It is old, does not usually work on most modern-day systems, and requires the attacker to be root (i.e. master account) to run. The attack is done by sending fragmented or invalid ICMP packets to the target, which slows down and eventually crashes the host. Recently, a variation of this old attack appeared, called "Smurfing". Basically, ISP's have to worry about these kind of attacks, not specific individuals.
In January of 1997, "The Ping o' Death" was discovered, and proved to effect 18 major operating systems, Windows 95 and NT included. In this attack, systems which are "pinged" with a very large packet will crash. Service Pack 2 fixes this problem on Windows NT machines. The above patch fixes the problem on Windows 95 machines. See this page for more info.
In June of 1997, "SSPing/Jolt" appeared. In this kind of attack, fake TCP/IP packets are sent to a host, causing the host to slow down or crash. While less serious than WinNuke, anyone who runs a mission-critical web server on Windows NT should apply the fix, which can be found here.
Also in June, another bug in the Windows NT 4.0 web server (Internet Information Server 3.0) could let a malicious user crash the server when it receives a very large URL (4kb to 8kb) in a CGI request. The patch for NT web server administrators is available here.
A fairly new attack, called "Teardrop", affects Windows 95/NT machines, as well as Linux and other operating systems. It occurs when an invalid or fragmented IP address is sent to a host, causing it to crash or hang. The fix for Windows 95 users is included in the WinNuke patch above. Windows NT users should consult this page. Recently, a new version of the Teardrop attack has appeared. (see below)
Early in December 97, a new bug, called a "land c" or "Land Attack" has appeared, by "Meltman". It affects some operating systems, as well as some Internet hardware such as firewalls and routers. Like the SSPing attack, it allows someone to slow down or crash a Windows NT machine, and crash a Windows 95 system. A patch for Windows 95 machines is included in the WinNuke fix above. Windows NT users should consult this link.
There are several bugs in Microsoft's latest Internet Explorer 4.0 browser, which can let a malicious person access and/or destroy files on your hard drive. On January 14th, 1998, the "MK Overrun bug" was reported, which can cause IE4.0 to crash when the user tries to go to a webpage that starts with "mk://". A fix for NT and 95 users is provided by Microsoft at this page. A similar attack, called the "IE Buffer Overrun bug", can be fixed at this MS webpage.
Recently a new varaiation on the Teardrop attack has surfaced, called "NewTear" or "Boink". As of January 12, 1998, there is a fix for Windows NT users. The fix for Windows 95 machines, released on January 23rd, is included in the WinNuke fix above.
On February 13th, a new DOS (Denial of Service) attack was discovered that affects Windows NT 4.0 machines ONLY. During this kind of attack, a malicious user could create an incorrect logon packet, which causes NT to "blue screen" and reboot. Microsoft acted fast in releasing a fix, available here.
ICQ is a popular Internet messaging service which allows users to track which of their friends and co-workers are online and send messages back and forth with them. Recently, however, it's users have been the target of a several malicious new attacks:
- Around May 13th, Seth McGann released his source code to an ICQ Spoofer which allowed anyone who compiled his program on a Unix machine to send a fake message to any person who had ICQ currently running on their computer. The spoofer can make the message appear to be from any ICQ UIN, including fake numbers as 1 or 666, or someone who is already in your list. Recently, several ICQ spoofer programs for Windows 95 have appeared, which make it even easier for people to use (and abuse) the program. A variation on the ICQ spoofer, known as the "ICQ bomber", sends hundreds (or thousands) of ICQ messages to the victim from random UIN's, rendering the victim's ICQ useless.
  The new version of ICQ (98 beta ver 1.26) released on May 22nd, has been confirmed to be "Spoof-Proof". You can update your copy here.
- On May 31st, a new, even more potentially dangerous attack was released to the public, authord by someone named "wumpus@innocent.com", called ICQ HiJaak. This program, which affects even the new "Spoof-Proof" ICQ (above), can allow someone to change your ICQ password without your authorization. Obviously, the attacker then has full control over your ICQ account, while you can do nothing.
  Responsing to the problem, Mirabilis originally disabled the ability to change your password at all on June 3rd, 1998. About two weeks later, they released a new version of ICQ, 98 beta 1.30 which, while not confirmed, most likely fixes the latest security issues.
Back Orifice, by the interestingly-named hacker group "Cult of the Dead Cow", is a new (September '98) program for Windows 95 or 98 systems. Here's how it works: The attacker gains access to your system (in most cases, he/she must actually physically be sitting at your computer), and installs a small program that hides in the background. Then, from the comfort of their own home, they can take control of your system, manipulating (and deleting) files, changing system settings, and other mischief.
Back Orifice shouldn't be too big of a concern for most users, as it requires the attacker to (in most cases) have physical access to the computer being attacked. However, if you run a large number of publicity accessible computers, you should probably check to see if BO is installed, by downloading "BoDetect".

VI. Conclusion

Now that you are protected from being WinNuked, here is what I suggest you do. Find someone and tell them to nuke you. After it does nothing, and the person is baffled, laugh at them, and then blatantly say...
WINNUKING IS LAME!
(Capitals are suggested)

- Dan Finkelstein (12-7-97, updated 10-6-98)

This page is © 1997,1998 - Dan Finkelstein.
Thanks to The WinNuke Testing Ground, irchelp.org's DOS page, and News.com for some source material.