[Dshield] Sorry I know we're all busy but I had to share this with the list.

Paul Marsh pmarsh at nmefdn.org
Mon Aug 11 20:50:10 GMT 2003

The following are just a few posts I just received on FD, it's amazing, isn't anyone paying attention?


	We're seeing what looks like an rpc worm spreading internally (gotta love
dialup users), and I'm trying to figure out if this is something new, or
just something old that we finally are getting.

I'm not entirely sure it's a worm, it almost appears to be an auto-rooter
with quick spreading ability (fine line between that and a worm, I
suppose).  Has anybody else seen something with these characteristics:

Host scans local subnet first, looking for vulnerable machines and opening
up port 4444 on the remote host, and running the following:


	 I'm working as a technician and have had 3 people
from the local area call within the last hour about a
problem with having their computer shut down after
giving a one minute warning.  This only happens when
they have an internet connection - if they boot up
with a network cable plugged in, even if they don't
have a browser or any other apps open, it'll shut
down.  It looks like they're all running NT/2k/XP as
well - is this a DCOM worm? 


	I had two friends of mine call me, telling that
their PC would "constantly reboot" complaining
about some "RPC" thing. Both calls within an
hour. Something tells me it might have to do
with that worm...

More information about the list mailing list