Full Disclosure mailing list archives
RE: possible MS03-026 worm?
From: "mobly99" <dhopper () ameritech net>
Date: Sat, 2 Aug 2003 14:16:55 -0500
Not I that was scanned or exploited, but anyway... As my subject stated my belief is that it was a possible worm. Who knows I am not a programmer and couldn't disassemble to save my ass - which is why I pass it on to others with the skill to do so. I've heard from some sources that the dcomx.exe may contain an IRC "auto-rooter" / w32/lolol.worm.gen Dave -----Original Message----- From: CHeeKY [mailto:cheekypeople () sec33 com] Sent: Saturday, August 02, 2003 1:52 PM To: tcpdumb; full-disclosure () lists netsys com; mobly99 Subject: Re: [Full-disclosure] possible MS03-026 worm? so what your saying is that you have been scanned using a rpc scanner, a rpctest was used to determine your operating system, tftp was used to upload files and the rest can be anything from winmgnt.exe to servudaemon.exe for opening a ftp server on your box, the worm.exe just looks like a neat batch file for ease of transfer of files and the spawning of a shell is simply the dcom rpc windows hack program in operation. So have we a worm or have we a slight chance of over reactive paranoia through naming of files? I value your need for valadation, and maybe I am wrong and the rpc worm is out to kill folk, I hope my explanation is the one, anyways bring the worm on, I am patched, stormfront installed, full checkpoint ngfp3 suite and a network patching program to foil the world hehehehe Enjoy ya weekend. ------------------------------------------------------------------------ - FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com ----- Original Message ----- From: "tcpdumb" <tcpdumb () pentiumbuster homelinux com> To: <full-disclosure () lists netsys com> Sent: Saturday, August 02, 2003 6:32 PM Subject: Re: [Full-disclosure] possible MS03-026 worm?
On Sat, 2 Aug 2003 11:58:00 -0500 "mobly99" <dhopper () ameritech net> wrote:Seems to be a possible worm based on the RPC/DCOM exploit making the rounds?Definetly. Depending on the logfiles from our Firewall at work, there
must be something out there. Infected machines found at:
156.34.222.0/24 194.96.90.0/24 196.30.232.0/24 200.0.0.0/8 202.0.0.0/8 and so on. Their traffic is about 50-75% of a day's traffic.
Fortunately without any damage to our systems. The worm seems to check hosts with a funny ryhtm within a Subnet:
IP=123.123.123.1 $IP+5 $IP+1 $IP+4 $IP+2 $IP+3 $IP+3 $IP+2 $IP+4 $IP+1 $IP+5 ... ... Dunno why but I found it out reading the 24h output of our Firewall.
The coder must be stupid/[totally stoned] or simply made a mistake coding the loops for scanning.
Strange thing, Lukasputs these files in %systemdrive% rpc.exe rpctest.exe tftpd.exe worm.exe lolx.exe also in %windir%\system32 lolx.exe dcomx.exe rpc.exe and dcomx.exe appear in the running tasks. I pulled samples of them and submitted to SARC. -Dave_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
smime.p7s
Description:
Current thread:
- possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- <Possible follow-ups>
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- RE: RE: possible MS03-026 worm? Justin Shin (Aug 02)
- Re: RE: possible MS03-026 worm? morning_wood (Aug 02)
- Re: RE: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 03)
- Re: possible MS03-026 worm? Georgi Guninski (Aug 03)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)