From: dcopley at eeye.com (Drew Copley)
Subject: [UPDATE] ping floods


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of benjurry
> Sent: Monday, August 18, 2003 10:09 AM
> To: Sam Pointer; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] [UPDATE] ping floods
> 
> 
> This worn written by VC++6.0 and compressed by UPX. Its size 
> is 10240 bytes. The worm's aim is to remove the msblast anf 
> patch the system,which infects by RPC DCOM and WebDEV. When 
> it go into the system ,it copy 
> %systemroot%\system32\dllcache\tftpd.exe to 
> %systemroot%\system32\wins\svchost.exe ,then create the 
> service named RPCTftpd ,and its Display is ""Network 
> Connections Sharing". And then It copy himself to 
> %systemroot%\system32\wins\dllhost.exe ,then create the 
> service named RpcPath . 3rd,the worm will check the process 
> "msblast" and remove it ,then download the patch form the M$ 
> according diffrent language version,and patch system with 
> parameter "-n -o -z -q". Then it scan the subnet with ICMP 
> filled with ,whose type is "echo" and size is 92 bytes ,so 
> there are large volumes of ICMP traffic in network .when the 
> worm find a host ,it will try to infect with RPC DCOM and 
> Webdev, If sucess it will listen a TCP port less than 1000 to 
> send the file.If the year is 2004,then it will remove 
> itself.So the easiest way to remove is adjust your time.
> 
> It seems it is a "good " worm to clean msblast:)

Except for the fact that it causes some systems to go into the infinite
reboot loop and it is causing ping floods. 

Whether or not it properly downloads the right patches or close the
command shell it opens... Or whatever other bugs it has... Have not been
shown, yet.

It is not too worrisome, however, as the blaster worm already got a vast
swath of users to finally upgrade.


> 
> 
> benjurry
> 
> ----- Original Message ----- 
> From: "Sam Pointer" <sam.pointer@...software.com>
> To: "'Abraham, Antony (Cognizant)'" 
> <Antony@....cognizant.com>; <B3r3n@...osnet.com>; 
> <full-disclosure@...ts.netsys.com>
> Sent: Tuesday, August 19, 2003 12:15 AM
> Subject: RE: [Full-Disclosure] [UPDATE] ping floods
> 
> 
> > Antony Abraham wrote:
> > >
> > >http://vil.nai.com/vil/content/v_100559.htm
> > >
> > >New RPC worm which will generate lot of ICMP traffic.
> > 
> > Well I guess it would appear from this portion of NAI's 
> analysis that 
> > someone was listening to the thread on this list about writing an 
> > anti-blaster worm:
> > 
> > "The worm carries links to various patches for the MS03-026 
> > vulnerability: ... The worm attempts to download and install one of 
> > these patches on the victim machine."
> > 
> > 
> > This email and any attachments are strictly confidential and are 
> > intended solely for the addressee. If you are not the intended 
> > recipient you must not disclose, forward, copy or take any 
> action in 
> > reliance on this message or its attachments. If you have 
> received this 
> > email in error please notify the sender as soon as possible 
> and delete 
> > it from your computer systems. Any views or opinions presented are 
> > solely those of the author and do not necessarily reflect 
> those of HPD 
> > Software Limited or its affiliates.
> > 
> >  At present the integrity of email across the internet cannot be 
> > guaranteed and messages sent via this medium are 
> potentially at risk.  
> > All liability is excluded to the extent permitted by law for any 
> > claims arising as a re- sult of the use of this medium to transmit 
> > information by or to HPD Software Limited or its affiliates.
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Powered by blists - more mailing lists