DShield and Symantec report MSBlast in wild

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Mon Aug 11 20:18:50 GMT 2003

DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135 
has been released in the wild:



Craig Baltes of LURHQ corp reported this on the DShield list:


Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have
on isc.sans.org:
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

- On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig at lurhq.com


Good luck!


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

More information about the unisog mailing list