[Dshield] MSBlast.D a good worm?

Wayne Beckham wbeckham at yahoo.com
Tue Aug 19 11:46:34 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And it appears that it doesn't really "patch" anything, at least not
that I can see.  The scenario seems to be:

It copies TFTPD.exe from the %systemroot%\system32\dllcache
directory. This file is usually only present on Windows 2000 Server
and Advanced Server. So only these systems will be used to host
propagation of the worm. I haven't heard yet how long the TFTPD stays
up and open, meaning anyone could use it to access your systems.

After setting up the remote shell, infected system downloads a copy
of the worm from the host. If the attacker isn't a Windows 2000
Server or Advanced Server, the infected machine will not be able to
download the worm file, as it (theoretically) doesn't have TFTPD. 
But it keeps pinging and doing 135 probes.

If the instruction to download the patch is contained in the worm
executable, then many infected systems will reboot, but not really be
patched. The systems repeatedly reboot until they manage to get stuck
with the original LoveSan.

So what happened, at least around here, was that the machine would
reboot, still infected by Nachii, and not patched against LoveSan. 
LoveSan, still propagating in the wild would infect the machine
already infected by the Nachii virus.  

ICMP goes wild, with the occasional 135 probe thrown in for spice.

One last note - the Symantec FixBlast tool cleaned some, but not all,
incidents of LoveSan and didn't detect Nachii at all.  The MacAfee
"Stinger" tool (ver. 1.8.3 - I think) caught instances of LoveSan
missed by FixBlast and also fixed Nachii.  THIS IS NOT A COMMERCIAL
ENDORSEMENT - just an observation.  If anyone has any similar
observations, I'd like to hear them.

- - WB

- -----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Johannes B. Ullrich
Sent: Tuesday, August 19, 2003 4:09 AM
To: General DShield Discussion List
Subject: Re: [Dshield] MSBlast.D a good worm?



> But is there any such thing as a "good" worm?
> -----------

For starters: the 'Nachi' worm does setup some kind of backdoor.
Haven't quite figured out what it does. But there is something
listening on a port < 1000.


- -- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBP0IOGgx91CpcFNLaEQKslQCeJa9LV/dEo+nWZAH8+EupErlX8kEAnjM8
4btKeW7nUq9voiFg9p67W+eO
=V6p0
-----END PGP SIGNATURE-----





More information about the list mailing list