lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030816014905.18057.qmail@web11406.mail.yahoo.com>
From: xillwillx at yahoo.com (w g)
Subject: DCOM WORM Killer 2.0


http://illmob.org/rpc/cleaners/dcom2.zip

kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb (gotta love assembly) 

                      Coded in MASM by:
                             illwill                  
                     xillwillx@...oo.com      
                        www.illmob.org       


                      DCOM worm killer (W32.Blaster.Worm) 
 Aliases:  W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
           WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]
etc..... blablablabla keep changing it motherfuckers we'll still find yer ass   :)


 This program is a tool to remove the malicious worm(s)
 that spread through exploiting the DCOM RPC vulnerability using TCP port 135. 
 This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
 Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, 
 allowing an attacker to issue remote commands on the infected system.
 This tool was made to Automate the process of removing the worm from memory and all files related to it.

-------------------------------------------------------------------------
 Directions:
 1. Execute the file called DCOM2.exe
       a. Deletes the registry values that have been added.
       b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes. 
       c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files. 
       d. Deletes the dropped files. 

-------------------------------------------------------------------------
Tech Info:
Startup registry keys-
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "windows auto update"="msblast.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "windows auto update"="penis32.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "Microsoft Inet Xp.."="teekids.exe"

Dropped files-
 Windows system directory (c:\windows\system32 c:\winnt\system32)
 'msblast.exe'  'penis32.exe'  'teekids.exe' 'root32.exe' 'index.exe'

Source:
http://illmob.org/sources/DCOM2.html
http://illmob.org/sources/DCOM2.asm



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030815/304a7e6a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ