lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5701759560@nycmb01.law.sullcrom.com>
From: dowlingg at sullcrom.com (Dowling, Gabrielle)
Subject: dobble-clicking msblast.exe

Nick....

There is nothing magical except for the ubiquitous port  it traverses on
and the fact that is seems to managing to crash RPC on servers
regardless of privilege and on patched systems once it gets onto a
network....

If you recall, there was a second RPC vuln described around the time
that MS03-26 came out., and for which MS has not issued a patch  It
seems this worm uses it, that was what all the svchost stuff was about
(i.e., those machines weren't infected, they were rather negatively
affected).

G

-----Original Message-----
From: Nick FitzGerald [mailto:nick@...us-l.demon.co.uk] 
Sent: Tuesday, August 12, 2003 11:20 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe


martin f krafft <madduck@...duck.net> wrote:

> Does anyone know what happens if you run msblast.exe on an uninfected 
> system?

It becomes infected and infective.

There is nothing especially magical about the features of the worm 
program -- run it and it starts trying to spread (or to DoS 
windowsupdate.com depending on the date).  Its function is certainly 
not affected by the way it gets onto a machine or whether it is 
launched by the exploit code or not (well, it may depend on some 
elevated privileges such as the those it gets as local system from the 
RPC exploit code running, as it does, as part of a system service).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ