[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5701759560@nycmb01.law.sullcrom.com>
From: dowlingg at sullcrom.com (Dowling, Gabrielle)
Subject: dobble-clicking msblast.exe
Nick....
There is nothing magical except for the ubiquitous port it traverses on
and the fact that is seems to managing to crash RPC on servers
regardless of privilege and on patched systems once it gets onto a
network....
If you recall, there was a second RPC vuln described around the time
that MS03-26 came out., and for which MS has not issued a patch It
seems this worm uses it, that was what all the svchost stuff was about
(i.e., those machines weren't infected, they were rather negatively
affected).
G
-----Original Message-----
From: Nick FitzGerald [mailto:nick@...us-l.demon.co.uk]
Sent: Tuesday, August 12, 2003 11:20 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe
martin f krafft <madduck@...duck.net> wrote:
> Does anyone know what happens if you run msblast.exe on an uninfected
> system?
It becomes infected and infective.
There is nothing especially magical about the features of the worm
program -- run it and it starts trying to spread (or to DoS
windowsupdate.com depending on the date). Its function is certainly
not affected by the way it gets onto a machine or whether it is
launched by the exploit code or not (well, it may depend on some
elevated privileges such as the those it gets as local system from the
RPC exploit code running, as it does, as part of a system service).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us
immediately.
***********************************************************************
Powered by blists - more mailing lists