[Dshield] Simultaneous MSBlaster and ??? attack?

Jon R. Kibler Jon.Kibler at aset.com
Wed Aug 13 19:21:09 GMT 2003

I would like to add that I have been told by an associate that to clean up a system (for a new client they acquired because of this worm), they had to do everything Johannes spells out below, plus:

	1) FDISK the HDD to kill all partitions.
	2) Reboot from install media.
	3) FDISK the HDD to create new partitions.

When they left out step two, some memory resident "contaminant" managed to reinfect the system while doing the install, before it was even connected to the network.

Hope this helps!

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

"Johannes B. Ullrich" wrote:
> This message was converted from multipart/signed to ascii armored
> Hash: SHA1
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> On Wed, 2003-08-13 at 11:15, Micheal Patterson wrote:
> > Does anyone have any information on any trojans that are utilizing the same
> > DCOM exploit yet?
> Well, trojans, bots and other toyZ using this exploit have been around
> for at least two weeks now. There are too many variants to find them
> all, as they are usually custom made and sometimes not easy to detect.
> I think I said this before here. Just to reiterate:
> If you find a machine that is infected by msblaster, I strongly
> recommend a COMPLETE REBUILD. Do not just use any of the msblaster
> cleanup tools. They will not remove any backdoors left by others.
> Even for an expert, it is very hard to find all possible backdoors.
> I recommend:
> 1 disconnect the machine from the network as fast as possible.
>   Physically remove the network cable or phone line.
> 2 shut it down.
> 3 rebuild from scratch
> 4 apply patches (use a different computer to download them)
> 5 if you have WinXP, enable the build in firewall, or if you
>   have a personal firewall, install it.
> 6 install an anti virus program and do a complete scan of the
>   machine. Try to apply the latest virus definitions from CD
>   (can be hard, depends on software)
> 7 connect back to the network.
> If you have data on this machine, which you can not afford to
> lose, insert these steps between (2) and (3)
> a boot computer
> b apply worm removal tool from CD.
> c install recent virus scanner with up to date definitions and
>   do a complete scan. Even if you already had a virus scanner
>   installed, reinstall the virus scanner.
> d run a complete virus scan.
> e backup the files you need. Or, get a new hard disk and keep the
>   old one around as a backup (you can put it into a USB enclosure)
>   After you got the system back online, clean and current on virus
> definitions, run a complete virus scan on the backup again.
> I know this is a long list and its not easy. But anything else may
> cost you big time later. You will likely never find out about the
> backdoor until your credit card is rejected by some merchant as
> 'over limit'.
> >  I've got systems that were patched via the Win2k patch
> > file, not via windows update, that have an apparent trojan on them. The main
> > systems that are noticeable is the inability to pull up properties, see
> > within the winnt folder and the control panel icons are all listed in a
> > frame on the left, Add / Remove programs is empty with the fonts mangled.
> > I'd seen mention of kaht2 root kit using the DCOM exploit, but it appears to
> > have been overshadowed by msblaster.
> >
> > Thanks.
> >
> > --
> >
> > Micheal Patterson
> > TSG Network Administration
> > 405-917-0600
> >
> > Confidentiality Notice:  This e-mail message, including any attachments, is
> > for the sole use of the intended recipient(s) and may contain confidential
> > and privileged information. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you are not the intended recipient, please
> > contact the sender by reply e-mail and destroy all copies of the original
> > message.
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> --
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
> Version: GnuPG v1.2.1 (GNU/Linux)
> iD8DBQA/Ol2dR1p7hYJvB/wRAgnCAKCvidcDlgVnqLWuHJ/Emk0c9K9SNgCfUA7S
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list