[Dshield] Simultaneous MSBlaster and ??? attack?

Joe Stewart jstewart at lurhq.com
Wed Aug 13 17:13:32 GMT 2003


On Wednesday 13 August 2003 11:53 am, Craig Shaw wrote:
> Not sure if this is your particular problem, but TrendMicro had this
> reported:
>
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDB
>O T.A
>
> It started peaking around noon yesterday and tapered off quickly.

It's not really a worm; it is a IRC controlled DDoS zombie with the 
capability to infect other systems when given the command to do so
by its controller.

It is based off of the Spybot code but instead of infecting via Kuang2
or Subseven it now uses the RPC exploit. This version also uses
dll injection, which makes it more difficult to find and clean from 
infected systems.

This is only one of many trojans we have seen being spread via the 
RPC exploit. Up until the worm started, it has been a field day for the 
IRC kiddies.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/




More information about the list mailing list