[unisog] DShield and Symantec report MSBlast in wild

Edward W. Ray support at mmicman.com
Tue Aug 12 02:41:34 GMT 2003


While this is illegal, and no site should be DDoSed off the web, I find the
fact that the worm slams the M$ site rather amusing :)

So much for Windows 2003 being "Secure by Default."

Edward W. Ray
SANS GCIA, GCIH 

-----Original Message-----
From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu] 
Sent: Monday, August 11, 2003 1:19 PM
To: unisog at sans.org; SECURITY at LISTSERV.EDUCAUSE.EDU
Subject: [unisog] DShield and Symantec report MSBlast in wild

DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135
has been released in the wild:

http://isc.sans.org/

http://tms.symantec.com

Craig Baltes of LURHQ corp reported this on the DShield list:

===========================================================

Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have seen
on isc.sans.org:
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

AND:
- On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

--
Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig at lurhq.com

===========================================================

Good luck!

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list