[Full-Disclosure] smarter dcom worm

["Justin Shin" <zorkshin@tampabay.rr.com>]

As many people have said, this worm sucks. First of all, look at the host discovery mechanism. Random IP's are sooooo outdated. A better idea? Start with:

1. Subnet (192.168.x.x)
2. WAN Address [for nat's] (24.31.34.x)
3. Incremental WAN (24.31.x.x)

Obviously not a new idea but also not a bad one. I am sure that your average college-level math professor could simplify the host discovery process.

tftp: slow, old, but easy to use. probably straight up ftp would be a better dropping protocol, no?

registry/run is the oldest known startup method. try actually using MULTIPLE startups, like Registry RunServices, RunOnce, RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc.

once installed, the program should spawn copies of itself, using startup methods, hidden files, fake system exes, etc. it should block out filenames of patches, windowsupdate stuff, fixes, to stop newbies from fixing it.

the worm should also have a more interesting payload -- such as lookin at inetpub and htdocs, etc.

note -- im not trying to encourage this stuff, i am just pointing out some key flaws in this worm. the next one may have all of these features and much more, because I am not a very creative guy.

-- Justin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html