DShield and Symantec report MSBlast in wild

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Mon Aug 11 20:18:50 GMT 2003


DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135 
has been released in the wild:

http://isc.sans.org/

http://tms.symantec.com

Craig Baltes of LURHQ corp reported this on the DShield list:

===========================================================

Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have
seen
on isc.sans.org:
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

AND:
- On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

-- 
Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig at lurhq.com

===========================================================

Good luck!

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list