RE: What the heck is this msblast.exe

From: Christopher M (christopherm_at_btinternet.com)
Date: 08/12/03

  • Next message: Dominick S.: "Re: DCOM worm is out"
    To: "Tim Mektrakarn" <tim@loudpacket.com>, <focus-ms@securityfocus.com>
    Date: Tue, 12 Aug 2003 09:31:04 +0100
    
    

    The RPC exploit itself leaves the server open to any action at all. We have
    an open test machine which was hit with this and a hacker tried the exploit
    against all our IP addresses. When he found this machine I was able to watch
    as he installed a shadow copy of Serv-U FTP server software and configure
    anonymous accounts to use our machine as an mp3 file server before I booted
    him off. There's no need for any detectable viruses to be involved, as the
    hacker can install whatever legitimate(?) software he likes.

    Bear in mind that the hacker could have installed software to record
    everything you do on the machine. He could be using any account for access.
    Treat every file and process on there, and all activity as suspicious until
    you've verified its authenticity. Your second instance of firedaemon sounds
    classic. What service is it running? Ideally, you'd take the machine offline
    and reformat, but I know this isn't always practical.

    Regards,

    Christopher Moss

    |-----Original Message-----
    |From: Tim Mektrakarn [mailto:tim@loudpacket.com]
    |Sent: 11 August 2003 23:52
    |To: focus-ms@securityfocus.com
    |Subject: RE: What the heck is this msblast.exe
    |
    |
    |Does this virus attack explorer.exe? I found this on my server, ran the
    |MS patch, nav scans and now everytime explorer.exe launches it crashes
    |immediately. Also have 2 instances of firedaemon.exe running but NAV
    |doesn't detect any viruses.
    |
    |Tim
    |
    |
    |
    |-----Original Message-----
    |From: Garrick Strom [mailto:Garrick.Strom@LifeWiseHealth.com]
    |Sent: Monday, August 11, 2003 3:17 PM
    |To: Minchu Mo; focus-ms@securityfocus.com
    |Subject: RE: What the heck is this msblast.exe
    |
    |According to Symantec this is the long-awaited RPC exploiting worm.
    |http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    |
    |-----Original Message-----
    |From: Minchu Mo [mailto:morris_minchu@iwon.com]
    |Sent: Monday, August 11, 2003 3:00 PM
    |To: focus-ms@securityfocus.com
    |Subject: What the heck is this msblast.exe
    |
    |
    |
    |The code resides in c:\winnt\system32.
    |
    |
    |
    |It somehow change my registry and pretend to be Window autoupdate in
    |
    |\Localsystem\software\microsoft\window\run, so it can run when I boot
    |the
    |
    |machine. Now it sending out packet to random(?)IP 's endpoint port
    |
    |------------------------------------------------------------------------
    |---
    |Your network firewall and IDS products do not prevent Web application
    |attacks - the most common form of online exploitation- resulting in Web
    |defacement, data theft, sabotage and fraud.
    |KaVaDo is the only company that provides a complete suite of Web
    |application
    |security products.
    |Download a FREE whitepaper on "Security Policy Automation for Web
    |Applications":http://www.securityfocus.com/Kavado-focus-ms
    |------------------------------------------------------------------------
    |---
    |
    |
    |
    |------------------------------------------------------------------------
    |---
    |Your network firewall and IDS products do not prevent Web application
    |attacks - the most common form of online exploitation- resulting in Web
    |defacement, data theft, sabotage and fraud.
    |KaVaDo is the only company that provides a complete suite of Web
    |application security products.
    |Download a FREE whitepaper on "Security Policy Automation for Web
    |Applications":http://www.securityfocus.com/Kavado-focus-ms
    |------------------------------------------------------------------------
    |---
    |
    |
    |---------------------------------------------------------------------------
    |Your network firewall and IDS products do not prevent Web application
    |attacks - the most common form of online exploitation- resulting in Web
    |defacement, data theft, sabotage and fraud.
    |KaVaDo is the only company that provides a complete suite of Web
    |application security products.
    |Download a FREE whitepaper on "Security Policy Automation for Web
    |Applications":http://www.securityfocus.com/Kavado-focus-ms
    |---------------------------------------------------------------------------
    |
    |

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------


  • Next message: Dominick S.: "Re: DCOM worm is out"