Re: reports of DCOM worm on the loose...Report #4b

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/12/03

  • Next message: Marc Maiffret: "DCOM not disabled on Win2k SP0,1,2"
    Date:         Tue, 12 Aug 2003 15:48:49 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Thanks to Marc Maifrett of eEye and Robert Graham of ISS for pointing this out;

    - scanning for systems listening on 69 indicate successfully attacked systems (or valid TFTP Server)

    Please note that the TFTP server used in the worm runs for a very short period of time (~20 seconds), so detecting 69 listening will be difficult at best.

    That said, since it appears possible that machines can be infected multiple times, the 69 listen may pop up and down frequently.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Marc Maiffret: "DCOM not disabled on Win2k SP0,1,2"