[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AC3C815D983E4F4F974EC31FDF7F5CAE8608EA@neon.netsvcs.com>
From: cslyon at netsvcs.com (Christopher Lyon)
Subject: dobble-clicking msblast.exe
Martin,
The way I infected a machine was I coped it to the %systemroot%\system32
then run it. It won't do anything but give it a little time, you will
know you are infected then the reg entry shows it. From there is goes
out and tries to spread.
> -----Original Message-----
> From: gml [mailto:gml@...ick.net]
> Sent: Wednesday, August 13, 2003 11:32 AM
> To: nick@...us-l.demon.co.uk; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] dobble-clicking msblast.exe
>
> I would think it would try to copy itself to %systemroot%\system32
find
> that
> it doesn't have access to overwrite msblast.exe and then just keep
> executing, but then again.
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Nick
> FitzGerald
> Sent: Tuesday, August 12, 2003 11:20 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe
>
> martin f krafft <madduck@...duck.net> wrote:
>
> > Does anyone know what happens if you run msblast.exe on an
> > uninfected system?
>
> It becomes infected and infective.
>
> There is nothing especially magical about the features of the worm
> program -- run it and it starts trying to spread (or to DoS
> windowsupdate.com depending on the date). Its function is certainly
> not affected by the way it gets onto a machine or whether it is
> launched by the exploit code or not (well, it may depend on some
> elevated privileges such as the those it gets as local system from the
> RPC exploit code running, as it does, as part of a system service).
>
>
> --
> Nick FitzGerald
> Computer Virus Consulting Ltd.
> Ph/FAX: +64 3 3529854
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists