[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] dobble-clicking msblast.exe

To: <nick@virus-l.demon.co.uk>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] dobble-clicking msblast.exe
From: "Dowling, Gabrielle" <dowlingg@sullcrom.com>
Date: Wed, 13 Aug 2003 01:27:29 -0400

Nick....

There is nothing magical except for the ubiquitous port  it traverses on
and the fact that is seems to managing to crash RPC on servers
regardless of privilege and on patched systems once it gets onto a
network....

If you recall, there was a second RPC vuln described around the time
that MS03-26 came out., and for which MS has not issued a patch  It
seems this worm uses it, that was what all the svchost stuff was about
(i.e., those machines weren't infected, they were rather negatively
affected).

G

-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] 
Sent: Tuesday, August 12, 2003 11:20 AM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe

martin f krafft <madduck@madduck.net> wrote:

> Does anyone know what happens if you run msblast.exe on an uninfected 
> system?

It becomes infected and infective.

There is nothing especially magical about the features of the worm 
program -- run it and it starts trying to spread (or to DoS 
windowsupdate.com depending on the date).  Its function is certainly 
not affected by the way it gets onto a machine or whether it is 
launched by the exploit code or not (well, it may depend on some 
elevated privileges such as the those it gets as local system from the 
RPC exploit code running, as it does, as part of a system service).

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] smarter dcom worm
Next by Date: Re: [Full-Disclosure] PacBell Internet blocked port 135
Prev by thread: RE: [Full-Disclosure] dobble-clicking msblast.exe
Next by thread: RE: [Full-Disclosure] dobble-clicking msblast.exe
Index(es):
- Date
- Thread