[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <011701c3592a$a6ab2b80$6e0ac80a@ptah>
From: dhopper at ameritech.net (mobly99)
Subject: possible MS03-026 worm?
Not I that was scanned or exploited, but anyway...
As my subject stated my belief is that it was a possible worm. Who knows
I am not a programmer and couldn't disassemble to save my ass - which is
why I pass it on to others with the skill to do so.
I've heard from some sources that the dcomx.exe may contain an IRC
"auto-rooter" / w32/lolol.worm.gen
Dave
-----Original Message-----
From: CHeeKY [mailto:cheekypeople@...33.com]
Sent: Saturday, August 02, 2003 1:52 PM
To: tcpdumb; full-disclosure@...ts.netsys.com; mobly99
Subject: Re: [Full-Disclosure] possible MS03-026 worm?
so what your saying is that you have been scanned using a rpc scanner, a
rpctest was used to determine your operating system, tftp was used to
upload
files and the rest can be anything from winmgnt.exe to servudaemon.exe
for
opening a ftp server on your box, the worm.exe just looks like a neat
batch
file for ease of transfer of files and the spawning of a shell is simply
the
dcom rpc windows hack program in operation.
So have we a worm or have we a slight chance of over reactive paranoia
through naming of files?
I value your need for valadation, and maybe I am wrong and the rpc worm
is
out to kill folk,
I hope my explanation is the one, anyways bring the worm on, I am
patched,
stormfront installed, full checkpoint ngfp3 suite and a network patching
program to foil the world hehehehe
Enjoy ya weekend.
------------------------------------------------------------------------
-
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com
----- Original Message -----
From: "tcpdumb" <tcpdumb@...tiumbuster.homelinux.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Saturday, August 02, 2003 6:32 PM
Subject: Re: [Full-Disclosure] possible MS03-026 worm?
> On Sat, 2 Aug 2003 11:58:00 -0500
> "mobly99" <dhopper@...ritech.net> wrote:
>
> > Seems to be a possible worm based on the RPC/DCOM exploit making the
> > rounds?
>
> Definetly. Depending on the logfiles from our Firewall at work, there
must
be something out there. Infected machines found at:
>
> 156.34.222.0/24
> 194.96.90.0/24
> 196.30.232.0/24
> 200.0.0.0/8
> 202.0.0.0/8
>
> and so on. Their traffic is about 50-75% of a day's traffic.
Fortunately
without any damage to our systems. The worm seems to check hosts with a
funny ryhtm within a Subnet:
>
> IP=123.123.123.1
>
> $IP+5
> $IP+1
> $IP+4
> $IP+2
> $IP+3
> $IP+3
> $IP+2
> $IP+4
> $IP+1
> $IP+5
> ...
> ...
>
>
> Dunno why but I found it out reading the 24h output of our Firewall.
The
coder must be stupid/[totally stoned] or simply made a mistake coding
the
loops for scanning.
> Strange thing,
>
> Lukas
>
> > puts these files in %systemdrive%
> > rpc.exe
> > rpctest.exe
> > tftpd.exe
> > worm.exe
> > lolx.exe
> >
> > also in %windir%\system32
> > lolx.exe
> > dcomx.exe
> >
> > rpc.exe and dcomx.exe appear in the running tasks.
> >
> >
> > I pulled samples of them and submitted to SARC.
> >
> >
> > -Dave
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3228 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030802/37abb455/smime.bin
Powered by blists - more mailing lists