lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAg2ZzuQ4fWEGEU2WMMis14cKAAAAQAAAAAW3mq4bT80KsGvhLJP7d4wEAAAAA@ihug.co.nz>
From: mjcarter at ihug.co.nz (Mike)
Subject: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

That's only good if you're at home and they would also need to be savy
enough to know how to configure it properly

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Richard
Stevens
Sent: Tuesday, 12 August 2003 11:15 p.m.
To: Chris Garrett; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM
Worm Propagation (fwd)


I must be missing something here... xp home & pro both have a "click and
forget" firewall?
 
why arent people using it?
 

	-----Original Message----- 
	From: Chris Garrett [mailto:somatose@....net] 
	Sent: Tue 12/08/2003 05:59 
	To: full-disclosure@...ts.netsys.com 
	Cc: 
	Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
MSRPC DCOM Worm Propagation (fwd)
	
	

	I had a friend infected with the worm earlier today, at about
17:00EST. He was
	running Windows XP Home edition. He called me because his
computer had been
	rebooting "spontaneously," and whenever he would go to google to
search for a
	strange binary he saw [msblast.exe], he either found nothing or
was mysterious
	redirected to some strange website. At least, I believe that was
his
	description. I hadn't seen any reports of MSBlast on FD before
this point, but I
	was almost certain it was a worm of some sort using the DCOM RPC
exploit. I had
	him check the registry, remove the keys, and delete .*msblast.*.
I also had him
	disable DCOM, since I doubted he was using anything that
utilized it, then
	directed him to the MS03-26 patch. This was all based on a guess
that it he was
	infected by something DCOM related [makes sense given the
massive publicity and
	severity of this vulnerability]. I wasn't certain if any other
files were
	corrupted at the time, but those simple measures seemed to do
the job. Imagine
	my surprise when 10 minutes later, I receive and FD email
reporting the release
	of a worm identified by an msblast binary.
	
	My friend also reported to me that /somehow/ his Norton
Auto-Protect had been
	disabled. Now, I don't know if that was the worm [as I've not
seen any analyses
	thusfar to suggest that the worm does that], or if it was
something he had
	disabled, accidentally, at some point.
	
	In short, XP is affected, as well. And I would imagine his
computer kept
	rebooting because other systems within the class B range he was
on were
	constantly probing his system and trying the 2K offset, and not
because of the
	worm that had already infected his system [which was my
original, incorrect,
	impression, before the analyses put out by ISC, XFocus, and
Norton].
	
	Christopher Garrett III
	Inixoma, Incorporated
	
	_______________________________________________
	Full-Disclosure - We believe in it.
	Charter: http://lists.netsys.com/full-disclosure-charter.html
	

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ