reports of DCOM worm on the loose - Report#2
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Mon, 11 Aug 2003 16:53:07 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
From the reports so far, if you block outbound requests to any IP address where the destination port is 69, you should be able to block any attempt to get the actual worm component. Suggestions are that after the initial connection from attacker, the victim then does a TFTP call to known IP addresses (which are being blocked as we speak, but there's some doubt as to whether or not the list is static or dynamic.) If it reaches one of these TFTP servers, it will then download the component which does the replication and attacking.
One report says that an XP Pro system had its RPC crash, then the system rebooted, then due to a run key under WindowsUpdate, it started the MSBLAST.EXE tool (that was, presumably, brought in via TFTP.) That executable started launching attacks.
More in a few minutes.
Russ - NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to