lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030813061928.90946.qmail@web11406.mail.yahoo.com>
Date: Tue, 12 Aug 2003 23:19:28 -0700 (PDT)
From: w g <xillwillx@...oo.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Windows Dcom Worm Killer

1.6 kb assembly program to kill and remove the dcom worm
 
http://illmob.org/files/dcomkiller.zip
 
DETAILS:
 
         DCOM worm killer (W32.Blaster.Worm) 
 Aliases:  W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
           WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
                      Coded in MASM by:
                       illwill                  
              xillwillx@...oo.com      
                 www.illmob.org       
  
                        8/13/2003
 This program is a tool to remove the malicious worm
 that spreads through exploiting the DCOM RPC vulnerability using TCP port 135. 
 This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
 Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, 
 allowing an attacker to issue remote commands on the infected system.
 This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
 Directions:
 1. Execute the file called DCOMKill.exe
    This will automatically kill the worms process 
    running in memory and remove the registry startup method
    and then it will erase any files left by the worm.
 
 2. All done  :) ... next step 
    W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, 
    and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it 
    updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "windows auto update"="msblast.exe"
Dropped files-
 Windows system directory (c:\windows\system32 c:\winnt\system32)
                 msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature, 
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan 
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ