[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] [UPDATE] ping floods
- To: "Sam Pointer" <sam.pointer@hpdsoftware.com>, <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] [UPDATE] ping floods
- From: "benjurry" <benjurry@szcert.org>
- Date: Tue, 19 Aug 2003 01:08:54 +0800
This worn written by VC++6.0 and compressed by UPX. Its size is 10240 bytes.
The worm's aim is to remove the msblast anf patch the system,which infects by RPC DCOM and WebDEV.
When it go into the system ,it copy %systemroot%\system32\dllcache\tftpd.exe to %systemroot%\system32\wins\svchost.exe ,then create the service named RPCTftpd ,and its Display is ""Network Connections Sharing".
And then It copy himself to %systemroot%\system32\wins\dllhost.exe ,then create the service named RpcPath .
3rd,the worm will check the process "msblast" and remove it ,then download the patch form the M$ according diffrent language version,and patch system with parameter "-n -o -z -q".
Then it scan the subnet with ICMP filled with ,whose type is "echo" and size is 92 bytes ,so there are large volumes of ICMP traffic in network .when the worm find a host ,it will try to infect with RPC DCOM and Webdev, If sucess it will listen a TCP port less than 1000 to send the file.If the year is 2004,then it will remove itself.So the easiest way to remove is adjust your time.
It seems it is a "good " worm to clean msblast:)
benjurry
----- Original Message -----
From: "Sam Pointer" <sam.pointer@hpdsoftware.com>
To: "'Abraham, Antony (Cognizant)'" <Antony@blr.cognizant.com>; <B3r3n@argosnet.com>; <full-disclosure@lists.netsys.com>
Sent: Tuesday, August 19, 2003 12:15 AM
Subject: RE: [Full-Disclosure] [UPDATE] ping floods
> Antony Abraham wrote:
> >
> >http://vil.nai.com/vil/content/v_100559.htm
> >
> >New RPC worm which will generate lot of ICMP traffic.
>
> Well I guess it would appear from this portion of NAI's analysis that
> someone was listening to the thread on this list about writing an
> anti-blaster worm:
>
> "The worm carries links to various patches for the MS03-026 vulnerability:
> ...
> The worm attempts to download and install one of these patches on the victim
> machine."
>
>
> This email and any attachments are strictly confidential and are intended
> solely for the addressee. If you are not the intended recipient you must
> not disclose, forward, copy or take any action in reliance on this message
> or its attachments. If you have received this email in error please notify
> the sender as soon as possible and delete it from your computer systems.
> Any views or opinions presented are solely those of the author and do not
> necessarily reflect those of HPD Software Limited or its affiliates.
>
> At present the integrity of email across the internet cannot be guaranteed
> and messages sent via this medium are potentially at risk. All liability
> is excluded to the extent permitted by law for any claims arising as a re-
> sult of the use of this medium to transmit information by or to
> HPD Software Limited or its affiliates.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html