Full Disclosure mailing list archives
RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
From: "Mike" <mjcarter () ihug co nz>
Date: Tue, 12 Aug 2003 23:44:45 +1200
That's only good if you're at home and they would also need to be savy enough to know how to configure it properly -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Richard Stevens Sent: Tuesday, 12 August 2003 11:15 p.m. To: Chris Garrett; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) I must be missing something here... xp home & pro both have a "click and forget" firewall? why arent people using it? -----Original Message----- From: Chris Garrett [mailto:somatose () cox net] Sent: Tue 12/08/2003 05:59 To: full-disclosure () lists netsys com Cc: Subject: Re: [Full-disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) I had a friend infected with the worm earlier today, at about 17:00EST. He was running Windows XP Home edition. He called me because his computer had been rebooting "spontaneously," and whenever he would go to google to search for a strange binary he saw [msblast.exe], he either found nothing or was mysterious redirected to some strange website. At least, I believe that was his description. I hadn't seen any reports of MSBlast on FD before this point, but I was almost certain it was a worm of some sort using the DCOM RPC exploit. I had him check the registry, remove the keys, and delete .*msblast.*. I also had him disable DCOM, since I doubted he was using anything that utilized it, then directed him to the MS03-26 patch. This was all based on a guess that it he was infected by something DCOM related [makes sense given the massive publicity and severity of this vulnerability]. I wasn't certain if any other files were corrupted at the time, but those simple measures seemed to do the job. Imagine my surprise when 10 minutes later, I receive and FD email reporting the release of a worm identified by an msblast binary. My friend also reported to me that /somehow/ his Norton Auto-Protect had been disabled. Now, I don't know if that was the worm [as I've not seen any analyses thusfar to suggest that the worm does that], or if it was something he had disabled, accidentally, at some point. In short, XP is affected, as well. And I would imagine his computer kept rebooting because other systems within the class B range he was on were constantly probing his system and trying the 2K offset, and not because of the worm that had already infected his system [which was my original, incorrect, impression, before the analyses put out by ISC, XFocus, and Norton]. Christopher Garrett III Inixoma, Incorporated _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Darren Reed (Aug 11)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Matthew Murphy (Aug 11)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gerald Cody Bunch (Aug 11)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Chris Garrett (Aug 11)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) ViLLaN (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) morning_wood (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gerald Cody Bunch (Aug 11)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Matthew Murphy (Aug 11)
- <Possible follow-ups>
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gerald Cody Bunch (Aug 11)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Richard Stevens (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Mike (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Chris Garrett (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Andrew Simmons (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) gregh (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Richard Stevens (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Lan Guy (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jonathan Rickman (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Dennis Heaton (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gordon Ewasiuk (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jeremiah Cornelius (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Nick FitzGerald (Aug 13)