Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

From: "Richard Stevens" <richard () tccnet co uk>
Date: Tue, 12 Aug 2003 12:15:25 +0100
I must be missing something here... xp home & pro both have a "click and forget" firewall?
 
why arent people using it?
 

        -----Original Message----- 
        From: Chris Garrett [mailto:somatose () cox net] 
        Sent: Tue 12/08/2003 05:59 
        To: full-disclosure () lists netsys com 
        Cc: 
        Subject: Re: [Full-disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
        
        

        I had a friend infected with the worm earlier today, at about 17:00EST. He was
        running Windows XP Home edition. He called me because his computer had been
        rebooting "spontaneously," and whenever he would go to google to search for a
        strange binary he saw [msblast.exe], he either found nothing or was mysterious
        redirected to some strange website. At least, I believe that was his
        description. I hadn't seen any reports of MSBlast on FD before this point, but I
        was almost certain it was a worm of some sort using the DCOM RPC exploit. I had
        him check the registry, remove the keys, and delete .*msblast.*. I also had him
        disable DCOM, since I doubted he was using anything that utilized it, then
        directed him to the MS03-26 patch. This was all based on a guess that it he was
        infected by something DCOM related [makes sense given the massive publicity and
        severity of this vulnerability]. I wasn't certain if any other files were
        corrupted at the time, but those simple measures seemed to do the job. Imagine
        my surprise when 10 minutes later, I receive and FD email reporting the release
        of a worm identified by an msblast binary.
        
        My friend also reported to me that /somehow/ his Norton Auto-Protect had been
        disabled. Now, I don't know if that was the worm [as I've not seen any analyses
        thusfar to suggest that the worm does that], or if it was something he had
        disabled, accidentally, at some point.
        
        In short, XP is affected, as well. And I would imagine his computer kept
        rebooting because other systems within the class B range he was on were
        constantly probing his system and trying the 2K offset, and not because of the
        worm that had already infected his system [which was my original, incorrect,
        impression, before the analyses put out by ISC, XFocus, and Norton].
        
        Christopher Garrett III
        Inixoma, Incorporated
        
        _______________________________________________
        Full-Disclosure - We believe in it.
        Charter: http://lists.netsys.com/full-disclosure-charter.html
        

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: