[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] dobble-clicking msblast.exe
- To: <nick@virus-l.demon.co.uk>, <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] dobble-clicking msblast.exe
- From: "gml" <gml@phrick.net>
- Date: Wed, 13 Aug 2003 14:32:03 -0400
I would think it would try to copy itself to %systemroot%\system32 find that
it doesn't have access to overwrite msblast.exe and then just keep
executing, but then again.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Nick FitzGerald
Sent: Tuesday, August 12, 2003 11:20 AM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe
martin f krafft <madduck@madduck.net> wrote:
> Does anyone know what happens if you run msblast.exe on an
> uninfected system?
It becomes infected and infective.
There is nothing especially magical about the features of the worm
program -- run it and it starts trying to spread (or to DoS
windowsupdate.com depending on the date). Its function is certainly
not affected by the way it gets onto a machine or whether it is
launched by the exploit code or not (well, it may depend on some
elevated privileges such as the those it gets as local system from the
RPC exploit code running, as it does, as part of a system service).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html