RE: What the heck is this msblast.exe

From: Michael LaSalvia (mike_at_genxweb.net)
Date: 08/12/03

  • Next message: Rod Trent: "RE: What the heck is this msblast.exe"
    To: <Lee_Fisher@NAI.com>, <morris_minchu@iwon.com>, <focus-ms@securityfocus.com>
    Date: Mon, 11 Aug 2003 18:47:15 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    The msblast.exe is the dcom worm that was just released earlier
    today. Been seeing this in my IDS logs all day.

    - -----Original Message-----
    From: Lee_Fisher@NAI.com [mailto:Lee_Fisher@NAI.com]
    Sent: Monday, August 11, 2003 6:27 PM
    To: morris_minchu@iwon.com; focus-ms@securityfocus.com
    Subject: RE: What the heck is this msblast.exe

    - From your description I would imagine it to be the Blaster ( We
    called it
    W32/Lovsan.worm )

    Many posts on forums - We list it as a Medium On Watch alert - other
    AV
    orgs have a similar classification.

    http://vil.nai.com/vil/content/v_100547.htm

    Lee Fisher
    Solutions Architect
    McAfee Product Management

    - -----Original Message-----
    From: Minchu Mo
    To: focus-ms@securityfocus.com
    Sent: 11/08/03 15:00
    Subject: What the heck is this msblast.exe

    The code resides in c:\winnt\system32.

    It somehow change my registry and pretend to be Window autoupdate in

    \Localsystem\software\microsoft\window\run, so it can run when I boot
    the

    machine. Now it sending out packet to random(?)IP 's endpoint port

    - ----------------------------------------------------------------------
    - --
    - ---
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in
    Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    - ----------------------------------------------------------------------
    - --
    - ---

    - ----------------------------------------------------------------------
    - -----
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in
    Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    - ----------------------------------------------------------------------
    - -----

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPzgc6XAnVb+gRdsVEQIxfQCeKC1utno1oDrWrvmKpHTCKM+cIQUAn1+x
    wcaDQq8UvNrA/O6KTmT8yqUc
    =pqjM
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------


  • Next message: Rod Trent: "RE: What the heck is this msblast.exe"

    Relevant Pages

    • RE: What the heck is this msblast.exe
      ... What the heck is this msblast.exe ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: What the heck is this msblast.exe
      ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: What the heck is this msblast.exe
      ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: DCOM RPC exploit as a virus/trojan?
      ... Your network firewall and IDS products do not prevent Web application ... attacks - the most common form of online exploitation- resulting in ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: What the heck is this msblast.exe
      ... The RPC exploit itself leaves the server open to any action at all. ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)