[unisog] DShield and Symantec report MSBlast in wild

Edward W. Ray support at mmicman.com
Tue Aug 12 02:41:34 GMT 2003

While this is illegal, and no site should be DDoSed off the web, I find the
fact that the worm slams the M$ site rather amusing :)

So much for Windows 2003 being "Secure by Default."

Edward W. Ray

-----Original Message-----
From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu] 
Sent: Monday, August 11, 2003 1:19 PM
To: unisog at sans.org; SECURITY at LISTSERV.EDUCAUSE.EDU
Subject: [unisog] DShield and Symantec report MSBlast in wild

DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135
has been released in the wild:



Craig Baltes of LURHQ corp reported this on the DShield list:


Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have seen
on isc.sans.org:
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

- On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig at lurhq.com


Good luck!


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

More information about the unisog mailing list