[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!
From: roman.kunz@juliusbaer.com
Date: Fri, 8 Aug 2003 10:58:04 +0200


<br><font size=2 face="Courier New">hi folks,</font>
<br>
<br><font size=2 face="Courier New">already saw a re-edited one whitch has only two targets (just as the last sploit by k-otik).</font>
<br>
<br><font size=2 face="Courier New">&lt;cut&gt;</font>
<br><font size=2><tt>/* RPC DCOM WORM v 2.3 &nbsp;- </tt></font>
<br><font size=2><tt>&nbsp;* originally by volkam, fixed and beefed by uv/graff</tt></font>
<br><font size=2><tt>&nbsp;* even more original concept by LSD-pl.net</tt></font>
<br><font size=2><tt>&nbsp;* original code by HDM </tt></font>
<br><font size=2><tt>&nbsp;*</tt></font>
<br><font size=2><tt>&nbsp;* --</tt></font>
<br><font size=2><tt>&nbsp;* This code is in relation to a specific DDOS IRCD botnet project.</tt></font>
<br><font size=2><tt>&nbsp;* You may edit the code, and define which ftp to login</tt></font>
<br><font size=2><tt>&nbsp;* and which .exeutable file to recieve and run.</tt></font>
<br><font size=2><tt>&nbsp;* I use spybot, very convienent</tt></font>
<br><font size=2><tt>&nbsp;* -</tt></font>
<br><font size=2><tt>&nbsp;* So basicly script kids and brazilian children, this is useless to you</tt></font>
<br><font size=2><tt>&nbsp;* </tt></font>
<br><font size=2><tt>&nbsp;* -</tt></font>
<br><font size=2><tt>&nbsp;* shouts: darksyn - true homie , giver of 0d4yz, and testbeds</tt></font>
<br><font size=2><tt>&nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; volkam &nbsp;- top sekret agent man </tt></font>
<br><font size=2><tt>&nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; ntfx &nbsp; &nbsp;- master pupil &nbsp;</tt></font>
<br><font size=2><tt>&nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; jpahk &nbsp; - true homie #2</tt></font>
<br><font size=2><tt>&nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; k3r0m &nbsp; - made that shit universal (2 targets WinXP - Win2k)</tt></font>
<br><font size=2><tt>&nbsp;*</tt></font>
<br><font size=2><tt>&nbsp;* Legion2000 Security Research (c) 2003 </tt></font>
<br><font size=2><tt>&nbsp;* - &nbsp; &nbsp; &nbsp; &nbsp;</tt></font>
<br><font size=2><tt>&nbsp;* &nbsp;enjoy! </tt></font>
<br><font size=2><tt>&nbsp;**************************************************************/</tt></font>
<br><font size=2 face="Courier New">&lt;/cut&gt;</font>
<br><font size=2 face="Courier New">as stephen said: PATCH PATCH PATCH (it'll be a funny week-end).</font>
<br><font size=2 face="Courier New">c y'all</font>
<br><font size=2 face="Courier New">--r</font>
<br>
<br><font size=2 face="Courier New"><br>
--- Stephen &lt;alf1num3rik@yahoo.com&gt; wrote:<br>
&gt; <br>
&gt; Hello here,<br>
&gt; <br>
&gt; a new worm is on the wild, it uses the exploit<br>
&gt; released by k-otik (48 targets - <br>
&gt; http://www.k-otik.com/exploits/07.30.dcom48.c.php)<br>
&gt; <br>
&gt; look this shit :<br>
&gt; <br>
&gt; /* RPC DCOM WORM v 2.2 &nbsp;- <br>
&gt; &nbsp;* This code is in relation to a specific DDOS IRCD<br>
&gt; botnet project.<br>
&gt; &nbsp;* You may edit the code, and define which ftp to<br>
&gt; login<br>
&gt; &nbsp;* and which .exeutable file to recieve and run.<br>
&gt; &nbsp;* I use spybot, very convienent<br>
&gt; &nbsp;* -<br>
&gt; &nbsp;* So basicly script kids and brazilian children,<br>
&gt; this<br>
&gt; is useless to you<br>
&gt; &nbsp;* <br>
&gt; <br>
&gt; So PATCH PATCH PATCH and block the ports 135 - 139<br>
&gt; -445 - 593<br>
&gt; <br>
&gt; Regards.<br>
&gt; <br>
&gt; Stephen - Germany<br>
</font>
<br>
<br><font size=2 face="Arial">PS: try some o' this : echo &quot; &nbsp; &nbsp; &nbsp; &nbsp;#include &lt;stdio.h&gt;</font>
<br><font size=2 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; main()</font>
<br><font size=2 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {</font>
<br><font size=2 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; asm(&quot;jmp&quot; .);</font>
<br><font size=2 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&quot; &gt; r0m.c &amp;&amp; gcc -o r0m r0m.c &amp;&amp; ./r0m</font>
<br><font size=2 face="Arial">&nbsp;<br>
<br>
*****Disclaimer*****<br>
This message is for the addressee only and may contain confidential or privileged information. You must delete and not use it if you are not the intended recipient. It may not be secure or error-free. All e-mail communications to and from the Julius Baer Group may be monitored. Processing of incoming e-mails cannot be guaranteed. Any views expressed in this message are those of the individual sender. This message is for information purposes only. All liability of the Julius Baer Group and its entities for any damages resulting from e-mail use is excluded. US persons are kindly requested to read the important legal information presented after clicking here: http://www.juliusbaer.com/maildisclaimer<br>
</font>

Follow-Ups:
- Re: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!
  - From: Joey <joey2cool@yahoo.com>

Prev by Date: RE: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!
Next by Date: [Full-Disclosure] Administrivia: Upcoming Outage Reminder
Prev by thread: RE: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!
Next by thread: Re: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!
Index(es):
- Date
- Thread