[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <228970000.1060659237@localhost>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Windows RPC/DCOM - MSBlast Worm
--On Monday, August 11, 2003 15:42:36 -0400 Craig Baltes <craig@...hq.com>
wrote:
> Here's more on the new Windows RPC/DCOM worm.
>
> This one seems pretty simple so far. It does most of what you may have
> seen
> on isc.sans.org:
> - exploits via port 135/RPC.
> - downloads binary (msblast.exe) via tftp.
> - adds a registry key to re-start after reboot
>
> AND:
> - On the 16th, syn-floods (with spoofed sources) windowsupdate.com.
>
>From the looks of it, the worm shouldn't have much problem doing that. So
far I'm seeing hits from the following ISPs worldwide:
verizon.net
genuity.net
shawcable.com
attbi.com
insightbb.com
socal.rr.com
adephia.net
mindspring.com
charterwv.net
blueyonder.co.uk
retevision.es
pacbell.net
sympatico.ca
everett.wa.da.uu.net
austin.rr.com
nc.rr.com
rochester.rr.com
coastalnow.net
videotron.ca
radiant.net
chartermi.net
satx.rr.com
Dallas1.level3.net
Philadelphia.level3.net
comcast.net
fredericksburg2.va.da.uu.net
holman.wa.da.uu.net
seymour.in.da.uu.net
nj.comcast.net
mi.comcast.net
ameritech.net
pa.comcast.net
cox.net
airstreamcomm.net
forward012.net.il
numericable.fr
wanadoo.fr
aol.com
telesp.net.br
gvt.net.br
bigpond.net.au
optusnet.com.au
netvigator.com
mn.frontier.net
dial.up.net
corecomm.net
ma.cable.rcn.com
rasserver.net
seed.net.tw
hansenet.de
chello.nl
telia.com
qualitynet.net
dip.t-dialin.net
tpnet.pl
telia.com
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Powered by blists - more mailing lists