[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030816014905.18057.qmail@web11406.mail.yahoo.com>
From: xillwillx at yahoo.com (w g)
Subject: DCOM WORM Killer 2.0
http://illmob.org/rpc/cleaners/dcom2.zip
kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb (gotta love assembly)
Coded in MASM by:
illwill
xillwillx@...oo.com
www.illmob.org
DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]
etc..... blablablabla keep changing it motherfuckers we'll still find yer ass :)
This program is a tool to remove the malicious worm(s)
that spread through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOM2.exe
a. Deletes the registry values that have been added.
b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes.
c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files.
d. Deletes the dropped files.
-------------------------------------------------------------------------
Tech Info:
Startup registry keys-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="penis32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Inet Xp.."="teekids.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
'msblast.exe' 'penis32.exe' 'teekids.exe' 'root32.exe' 'index.exe'
Source:
http://illmob.org/sources/DCOM2.html
http://illmob.org/sources/DCOM2.asm
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030815/304a7e6a/attachment.html
Powered by blists - more mailing lists