[Dshield] msblaster

Pagarb@aol.com Pagarb at aol.com
Sat Aug 16 21:40:41 GMT 2003

this might be premature, but a system I was working that had msblaster on it 
wouldn't allow access to task mgr, msconfig or regedit even after msblaster 
was removed...  then while it was off-line it started trying to reach 4 
domains...  a window would pop up and time out then another attempt would be made to 
the next address...  it would cycle around repeatedly and clicking cancel would 
just cause it to go to the next one..  after backtracking the names I called 
the only one that might still be open at 4 pm PST...  about 8 pm a sys admin 
called back to say this account had been opened within the last two weeks and 
he was very concerned about their activites...  he closed the account and 
looked at what they'd been doing and found "a large number of IP's" which made him 
suspicious...  we agreed to cooperate with the authorities and I'm sending an 
email to the supervisory agent of the FBI's Computer Analysis Response Team 
who I met at the Univ of Idaho forensics workshop last Sept...  don't know if 
there's a connection between this activity and msblaster or if it'll lead to who 
wrote it but if it does it'll be worth all the effort to get them...   
another thing I've experienced is pop-ups saying there's a trojan in the system 
volume information folder on my computer...  after much checking and scanning 
nothing showed and I'm beginning to wonder if this is a new game being played to 
create noise and havoc...  on the other hand this pop-up seemed to have some 
specific details about this folder...  am wondering if there might be something 
hiding in an alternate data stream and invisible to scanning or just some 
smart alec with a wierd sense of humor...

Paul Braga

More information about the list mailing list