lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: villain at protonic.com (ViLLaN)
Subject: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

Yes, it does infect Windows XP machines and No, it doesn't touch NAV. I
have however seen some other exploits based on the RPC vulnerability
that do have the option to disable AV software. Kaht2 comes to mind (I
think). 

Cheers,
Garth S

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Chris
Garrett
Sent: Tuesday, 12 August 2003 3:00 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM
Worm Propagation (fwd)


I had a friend infected with the worm earlier today, at about 17:00EST.
He was running Windows XP Home edition. He called me because his
computer had been rebooting "spontaneously," and whenever he would go to
google to search for a strange binary he saw [msblast.exe], he either
found nothing or was mysterious redirected to some strange website. At
least, I believe that was his description. I hadn't seen any reports of
MSBlast on FD before this point, but I was almost certain it was a worm
of some sort using the DCOM RPC exploit. I had him check the registry,
remove the keys, and delete .*msblast.*. I also had him disable DCOM,
since I doubted he was using anything that utilized it, then directed
him to the MS03-26 patch. This was all based on a guess that it he was
infected by something DCOM related [makes sense given the massive
publicity and severity of this vulnerability]. I wasn't certain if any
other files were corrupted at the time, but those simple measures seemed
to do the job. Imagine my surprise when 10 minutes later, I receive and
FD email reporting the release of a worm identified by an msblast
binary.

My friend also reported to me that /somehow/ his Norton Auto-Protect had
been disabled. Now, I don't know if that was the worm [as I've not seen
any analyses thusfar to suggest that the worm does that], or if it was
something he had disabled, accidentally, at some point.

In short, XP is affected, as well. And I would imagine his computer kept
rebooting because other systems within the class B range he was on were
constantly probing his system and trying the 2K offset, and not because
of the worm that had already infected his system [which was my original,
incorrect, impression, before the analyses put out by ISC, XFocus, and
Norton].

Christopher Garrett III
Inixoma, Incorporated

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ