reports of DCOM worm on the loose - Report#2

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/11/03

  • Next message: Russ: "Re: reports of DCOM worm on the loose...#3"
    Date:         Mon, 11 Aug 2003 16:53:07 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    From the reports so far, if you block outbound requests to any IP address where the destination port is 69, you should be able to block any attempt to get the actual worm component. Suggestions are that after the initial connection from attacker, the victim then does a TFTP call to known IP addresses (which are being blocked as we speak, but there's some doubt as to whether or not the list is static or dynamic.) If it reaches one of these TFTP servers, it will then download the component which does the replication and attacking.

    One report says that an XP Pro system had its RPC crash, then the system rebooted, then due to a run key under WindowsUpdate, it started the MSBLAST.EXE tool (that was, presumably, brought in via TFTP.) That executable started launching attacks.

    More in a few minutes.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: reports of DCOM worm on the loose...#3"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • WHERE ARE NT4 OLD PASSWORDS STORED
      ... Sorry if this bores many of you (being an NT4 question), ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Firewalls and DCOM
      ... Never underestimate the lengths to which your users will inadvertently go through to infect a network;)" ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • DCOM worm analysis report: W32.Blaster.Worm
      ... A Bugtraq user has already pointed out that a worm has been ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Something changing DNS server settings
      ... When I looked in the registry of one of the affected computers, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)