Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: MSblast worm

From: "Jasper Blackwell" <jasper599 () hotmail com>
Date: Wed, 13 Aug 2003 06:02:04 +0100
Thanks for your answers all.
TC's answer raises an interesting question for me. Does anyone know what exploit is being used as part of the MSBlast worm? I am aware that there are different versions of the DCOM32 exploit, some of these versions require you to determine what service pack is on the machine and others use the universal offsets and therefore only require you to figure out whether it is 2000 or XP that is to be exploited. I am guessing here that as it may well be the original DCOM32 exploit that the worm does not use the universal offsets, can anyone give me a definite answer?
Also is anyone else in the situation that they have 2000 machines which are pre SP3 which are not infected, and 2000 machines with SP3 or above that are infected? Is there anyone out there with 2000 machines and SP2 or below that are infected?
The version we have here does not spread to W2000 boxes until they get SP3 installed. Then they are immediately compromised. NT4 did not infect. 

tc

Quoting Mike.Keighleylexicon.co.uk:
Ah, yes. The vulnerability does indeed exist in NT. But with respect, what Jasper asks is whether the *MSblast worm* affects NT ? The exploit code and discussions on here seem to suggest it targets only 2000 and XP.
Does *this exploit* target NT successfully ? Not that I have seen / heard. Could an exploit be written which exploits NT ? Oh yes. 

--
Mike


_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: