[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

To: <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
From: "Chris Garrett" <somatose@cox.net>
Date: Tue, 12 Aug 2003 00:59:31 -0400

I had a friend infected with the worm earlier today, at about 17:00EST. He was
running Windows XP Home edition. He called me because his computer had been
rebooting "spontaneously," and whenever he would go to google to search for a
strange binary he saw [msblast.exe], he either found nothing or was mysterious
redirected to some strange website. At least, I believe that was his
description. I hadn't seen any reports of MSBlast on FD before this point, but I
was almost certain it was a worm of some sort using the DCOM RPC exploit. I had
him check the registry, remove the keys, and delete .*msblast.*. I also had him
disable DCOM, since I doubted he was using anything that utilized it, then
directed him to the MS03-26 patch. This was all based on a guess that it he was
infected by something DCOM related [makes sense given the massive publicity and
severity of this vulnerability]. I wasn't certain if any other files were
corrupted at the time, but those simple measures seemed to do the job. Imagine
my surprise when 10 minutes later, I receive and FD email reporting the release
of a worm identified by an msblast binary.

My friend also reported to me that /somehow/ his Norton Auto-Protect had been
disabled. Now, I don't know if that was the worm [as I've not seen any analyses
thusfar to suggest that the worm does that], or if it was something he had
disabled, accidentally, at some point.

In short, XP is affected, as well. And I would imagine his computer kept
rebooting because other systems within the class B range he was on were
constantly probing his system and trying the 2K offset, and not because of the
worm that had already infected his system [which was my original, incorrect,
impression, before the analyses put out by ISC, XFocus, and Norton].

Christopher Garrett III
Inixoma, Incorporated

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
  - From: "ViLLaN" <villain@protonic.com>
- Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
  - From: "morning_wood" <se_cur_ity@hotmail.com>

References:
- RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
  - From: "Gerald Cody Bunch" <gbunch@gmx.net>

Prev by Date: [Full-Disclosure] Symantec has released an MSBLast removal tool.
Next by Date: [Full-Disclosure] aside: worm vs. worm?
Prev by thread: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
Next by thread: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
Index(es):
- Date
- Thread