Re: [Full-Disclosure] MSblast worm

["Matthew Murphy" <mattmurphy@kc.rr.com>]

----- Original Message -----
From: "Johan Denoyer" <jdenoy@digital-connexion.info>
To: "Jasper Blackwell" <jasper599@hotmail.com>
Cc: <full-disclosure@lists.netsys.com>
Sent: Tuesday, August 12, 2003 6:09 AM
Subject: Re: [Full-Disclosure] MSblast worm


> worms affects :
>
> Microsoft Windows NT 4.0
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003

WRONG!  The RPC vulnerability affects all of these systems, but the worm
does not successfully spread to Windows NT or to Windows Server 2003
machines.  Further analysis shows my initial conclusion to be wrong, as many
stated here: Windows 2000 *and* Windows XP are impacted.

The reason this doesn't spread to NT/Windows Server machines is because the
two return addresses used are specific to Windows XP/2000.  The exploit is a
straight rip out of dcom.c, right down to the 4444/tcp shell.

> Salutations,
>
> Johan Denoyer
> jdenoy@digital-connexion.info
> Digital Connexion
> http://www.digital-connexion.info
>
> Jasper Blackwell a dit&#160;:
> > Hi All,
> >
> > Does anyone know if this MSblast worm affects Win NT machines, or is it
> > just
> > infecting 2000 and XP.
> >
> > Thanks
> >
> > Jasp
> >
> > _________________________________________________________________
> > Sign-up for a FREE BT Broadband connection today!
> > http://www.msn.co.uk/specials/btbroadband
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html