[unisog] DShield and Symantec report MSBlast in wild

Russell Fulton r.fulton at auckland.ac.nz
Mon Aug 11 23:26:40 GMT 2003


On Tue, 2003-08-12 at 08:18, Phil.Rodrigues at uconn.edu wrote:
> DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135 
> has been released in the wild:
> 
> http://isc.sans.org/
> 
> http://tms.symantec.com
> 
> Craig Baltes of LURHQ corp reported this on the DShield list:
> 
> ===========================================================
> 
> Here's more on the new Windows RPC/DCOM worm.
> 
> This one seems pretty simple so far. It does most of what you may have
> seen
> on isc.sans.org:
> - exploits via port 135/RPC.
> - downloads binary (msblast.exe) via tftp.
> - adds a registry key to re-start after reboot
> 
> AND:
> - On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

Also uses tftp to get body of the worm from the infector (as nimda does)
-- this is another line of defence: block outbound tftp (we have done so
for years).

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list