[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Windows Dcom Worm Killer and source code
- To: w g <xillwillx@yahoo.com>, bugtraq@SECURITYFOCUS.COM, full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Windows Dcom Worm Killer and source code
- From: w g <xillwillx@yahoo.com>
- Date: Wed, 13 Aug 2003 19:46:09 -0700 (PDT)
<DIV>source available here</DIV>
<DIV><A href="http://illmob.org/sources/DCOMkill.html";>http://illmob.org/sources/DCOMkill.html</A><BR><BR></DIV>
<DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%">
<DIV>1.6 kb assembly program to kill and remove the dcom worm</DIV>
<DIV> </DIV>
<DIV><A href="http://illmob.org/files/dcomkiller.zip";>http://illmob.org/files/dcomkiller.zip</A></DIV>
<DIV> </DIV>
<DIV>DETAILS:</DIV>
<DIV> </DIV>
<DIV> DCOM worm killer (W32.Blaster.Worm) <BR> Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]<BR> WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]</DIV>
<DIV> Coded in MASM by:<BR> illwill <BR> <A href="mailto:xillwillx@yahoo.com";>xillwillx@yahoo.com</A> <BR> <A href="http://www.illmob.org/";>www.illmob.org</A> <BR> <BR> 8/13/2003<BR> This program is a tool to remove the malicious worm<BR> t!
h! at
spreads through exploiting the DCOM RPC vulnerability using TCP port 135. <BR> This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.<BR> Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, <BR> allowing an attacker to issue remote commands on the infected system.<BR> This tool was made to Automate the process of removing the worm from memory and all files related to it.</DIV>
<DIV>-------------------------------------------------------------------------<BR> Directions:<BR> 1. Execute the file called DCOMKill.exe<BR> This will automatically kill the worms process <BR> running in memory and remove the registry startup method<BR> and then it will erase any files left by the worm.<BR> <BR> 2. All done :) ... next step <BR> W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, <BR> and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it <BR> updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.</DIV>
<DIV>-------------------------------------------------------------------------<BR>Tech Info:<BR>Startup registry key-<BR> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR> "windows auto update"="msblast.exe"</DIV>
<DIV>Dropped files-<BR> Windows system directory (c:\windows\system32 c:\winnt\system32)<BR> msblast.exe</DIV>
<DIV>Note:<BR>if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature, </DIV>
<DIV>which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan </DIV>
<DIV>infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.</DIV>
<DIV>Source:<BR>available upon request.<BR></DIV>
<P>
<HR SIZE=1>
Do you Yahoo!?<BR><A href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</A> - Free, easy-to-use web site design software</BLOCKQUOTE></DIV><p><br><hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/search/mailsig/*http://search.yahoo.com";>The New Yahoo! Search</a> - Faster. Easier. Bingo.