RE: MSBlast and other known exploits..

From: Alon Tirosh (atirosh_at_interactiveedge.com)
Date: 08/13/03

  • Next message: Chris Barber: "RE: rpc dcom worm and windowsupdate"
    To: "'Micheal Patterson'" <micheal@cancercare.net>
    Date: Wed, 13 Aug 2003 11:07:18 -0400
    
    

    Sounds like the infection went off and damaged COM+ on the affected
    machines. This was a reported side effect when the vulnerability was first
    analyzed and tested. I can confirm this happening on a number of infected
    systems that I've worked with, and it appears that the TMSC patterns do
    wonders to restore the system to operation.

    Id give a shot at simply cleaning the affected systems and seeing whether
    the problem clears up before pulling out the hose.

    -----Original Message-----
    From: Micheal Patterson [mailto:micheal@cancercare.net]
    Sent: Wednesday, August 13, 2003 8:45 AM
    To: incidents@securityfocus.com
    Subject: MSBlast and other known exploits..

    I've got reports of msblast infection that I've checked and they indeed do
    have msblast. Also, these systems all have what appears to be a corrupted
    control panel applet. The normal control panel shows up in a left hand frame
    and the contents of add/remove programs is missing. Also, various popup
    windows simply will not open. I've read that there was a known root kit
    that utilized the same dcom exploit called khat2 (spelling) but I'm not
    having much luck in locating the symptoms of systems that have been rooted
    in this manner. Any information would be appreciated. I will be recommending
    that these systems be blown away and reinstalled from clean media, I'm just
    looking for some info to verify what's eaten away at these things.

    Thank you.

    --
    Micheal Patterson
    Network Administration
    Cancer Care Network
    405-733-2230
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Chris Barber: "RE: rpc dcom worm and windowsupdate"

    Relevant Pages

    • RE: MSBlast and other known exploits..
      ... MSBlast and other known exploits.. ... I've got reports of msblast infection that I've checked and they indeed do ... The normal control panel shows up in a left hand frame ...
      (Incidents)
    • Our sumary of the NIMDA (CV) worm
      ... The Concept Validation worm also known as Nimda was ... We are not sure of the initial infection binary for. ... asked us whether we wanted to execute or save. ... There are reports that there are trojaned versions of riched20.dll ...
      (Incidents)
    • Re: Many (runaway?) RunDLL32.exe processes starting - help
      ... audit trail of what was run when the infection took place. ... The .cpl is a control panel file and would explain why I couldn't open ... >>When I start in Safe Mode, I can use the machine excpet for accessing ... then I see a lot of rundll32 processes again ...
      (microsoft.public.windowsxp.general)
    • Re: Faulting application
      ... I ran several removal tools amd this is my results; ... Blacklight from F-secure reports no infections ... Spysweeper reports 1 infection ... I'd personally start with rootkit revealer from sysinternals, ...
      (microsoft.public.windowsxp.general)
    • Re: Many (runaway?) RunDLL32.exe processes starting - help
      ... > There were no signs of SASSER-A infected files anywhere else.. ... > There were other bits such as things in prefetch .. ... > kind of audit trail of what was run when the infection took place. ... > The .cpl is a control panel file and would explain why I couldn't open ...
      (microsoft.public.windowsxp.general)