RE: possible MS03-026 worm?

["mobly99" <dhopper () ameritech net>]

Not I that was scanned or exploited, but anyway...
As my subject stated my belief is that it was a possible worm. Who knows
I am not a programmer and couldn't disassemble to save my ass - which is
why I pass it on to others with the skill to do so.

I've heard from some sources that the dcomx.exe may contain an IRC
"auto-rooter" / w32/lolol.worm.gen

Dave

-----Original Message-----
From: CHeeKY [mailto:cheekypeople () sec33 com] 
Sent: Saturday, August 02, 2003 1:52 PM
To: tcpdumb; full-disclosure () lists netsys com; mobly99
Subject: Re: [Full-disclosure] possible MS03-026 worm?

so what your saying is that you have been scanned using a rpc scanner, a
rpctest was used to determine your operating system, tftp was used to
upload
files and the rest can be anything from winmgnt.exe to servudaemon.exe
for
opening a ftp server on your box, the worm.exe just looks like a neat
batch
file for ease of transfer of files and the spawning of a shell is simply
the
dcom rpc windows hack program in operation.

So have we a worm or have we a slight chance of over reactive paranoia
through naming of files?
I value your need for valadation, and maybe I am wrong and the rpc worm
is
out to kill folk,
I hope my explanation is the one, anyways bring the worm on, I am
patched,
stormfront installed, full checkpoint ngfp3 suite and a network patching
program to foil the world hehehehe

Enjoy ya weekend.


------------------------------------------------------------------------
-
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com


----- Original Message ----- 
From: "tcpdumb" <tcpdumb () pentiumbuster homelinux com>
To: <full-disclosure () lists netsys com>
Sent: Saturday, August 02, 2003 6:32 PM
Subject: Re: [Full-disclosure] possible MS03-026 worm?


> On Sat, 2 Aug 2003 11:58:00 -0500
> "mobly99" <dhopper () ameritech net> wrote:
>
> > Seems to be a possible worm based on the RPC/DCOM exploit making the
> > rounds?
>
> Definetly. Depending on the logfiles from our Firewall at work, there
must
be something out there. Infected machines found at:
> 156.34.222.0/24
> 194.96.90.0/24
> 196.30.232.0/24
> 200.0.0.0/8
> 202.0.0.0/8
>
> and so on. Their traffic is about 50-75% of a day's traffic.
Fortunately
without any damage to our systems. The worm seems to check hosts with a
funny ryhtm within a Subnet:
> IP=123.123.123.1
>
> $IP+5
> $IP+1
> $IP+4
> $IP+2
> $IP+3
> $IP+3
> $IP+2
> $IP+4
> $IP+1
> $IP+5
> ...
> ...
>
>
> Dunno why but I found it out reading the 24h output of our Firewall.
The
coder must be stupid/[totally stoned] or simply made a mistake coding
the
loops for scanning.
> Strange thing,
>
> Lukas
>
> > puts these files in %systemdrive%
> > rpc.exe
> > rpctest.exe
> > tftpd.exe
> > worm.exe
> > lolx.exe
> >
> > also in %windir%\system32
> > lolx.exe
> > dcomx.exe
> >
> > rpc.exe and dcomx.exe appear in the running tasks.
> >
> >
> > I pulled samples of them and submitted to SARC.
> >
> >
> > -Dave
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Attachment: smime.p7s
Description: