[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030814024609.60327.qmail@web11402.mail.yahoo.com>
Date: Wed, 13 Aug 2003 19:46:09 -0700 (PDT)
From: w g <xillwillx@...oo.com>
To: w g <xillwillx@...oo.com>, bugtraq@...URITYFOCUS.COM,
full-disclosure@...ts.netsys.com
Subject: Re: Windows Dcom Worm Killer and source code
source available here
http://illmob.org/sources/DCOMkill.html
1.6 kb assembly program to kill and remove the dcom worm
http://illmob.org/files/dcomkiller.zip
DETAILS:
DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Coded in MASM by:
illwill
xillwillx@...oo.com
www.illmob.org
8/13/2003
This program is a tool to remove the malicious worm
th! at spreads through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOMKill.exe
This will automatically kill the worms process
running in memory and remove the registry startup method
and then it will erase any files left by the worm.
2. All done :) ... next step
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it
updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature,
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
Content of type "text/html" skipped
Powered by blists - more mailing lists