[unisog] DShield and Symantec report MSBlast in wild
r.fulton at auckland.ac.nz
Mon Aug 11 23:26:40 GMT 2003
On Tue, 2003-08-12 at 08:18, Phil.Rodrigues at uconn.edu wrote:
> DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135
> has been released in the wild:
> Craig Baltes of LURHQ corp reported this on the DShield list:
> Here's more on the new Windows RPC/DCOM worm.
> This one seems pretty simple so far. It does most of what you may have
> on isc.sans.org:
> - exploits via port 135/RPC.
> - downloads binary (msblast.exe) via tftp.
> - adds a registry key to re-start after reboot
> - On the 16th, syn-floods (with spoofed sources) windowsupdate.com.
Also uses tftp to get body of the worm from the infector (as nimda does)
-- this is another line of defence: block outbound tftp (we have done so
Russell Fulton, Network Security Officer, The University of Auckland,
More information about the unisog