Re: [Full-Disclosure] Windows RPC/DCOM - MSBlast Worm

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 08/12/03

  • Next message: Gerald Cody Bunch: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
    To: full-disclosure@lists.netsys.com
    Date: Mon, 11 Aug 2003 22:33:57 -0500
    
    

    --On Monday, August 11, 2003 15:42:36 -0400 Craig Baltes <craig@lurhq.com>
    wrote:

    > Here's more on the new Windows RPC/DCOM worm.
    >
    > This one seems pretty simple so far. It does most of what you may have
    > seen
    > on isc.sans.org:
    > - exploits via port 135/RPC.
    > - downloads binary (msblast.exe) via tftp.
    > - adds a registry key to re-start after reboot
    >
    > AND:
    > - On the 16th, syn-floods (with spoofed sources) windowsupdate.com.
    >
    >From the looks of it, the worm shouldn't have much problem doing that. So
    far I'm seeing hits from the following ISPs worldwide:

    verizon.net
    genuity.net
    shawcable.com
    attbi.com
    insightbb.com
    socal.rr.com
    adephia.net
    mindspring.com
    charterwv.net
    blueyonder.co.uk
    retevision.es
    pacbell.net
    sympatico.ca
    everett.wa.da.uu.net
    austin.rr.com
    nc.rr.com
    rochester.rr.com
    coastalnow.net
    videotron.ca
    radiant.net
    chartermi.net
    satx.rr.com
    Dallas1.level3.net
    Philadelphia.level3.net
    comcast.net
    fredericksburg2.va.da.uu.net
    holman.wa.da.uu.net
    seymour.in.da.uu.net
    nj.comcast.net
    mi.comcast.net
    ameritech.net
    pa.comcast.net
    cox.net
    airstreamcomm.net
    forward012.net.il
    numericable.fr
    wanadoo.fr
    aol.com
    telesp.net.br
    gvt.net.br
    bigpond.net.au
    optusnet.com.au
    netvigator.com
    mn.frontier.net
    dial.up.net
    corecomm.net
    ma.cable.rcn.com
    rasserver.net
    seed.net.tw
    hansenet.de
    chello.nl
    telia.com
    qualitynet.net
    dip.t-dialin.net
    tpnet.pl
    telia.com

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Gerald Cody Bunch: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"