Educause Security Discussion mailing list archives

DShield and Symantec report MSBlast in wild

From: Phil Rodrigues <Phil.Rodrigues () UCONN EDU>
Date: Mon, 11 Aug 2003 16:18:50 -0400

DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135
has been released in the wild:

http://isc.sans.org/

http://tms.symantec.com

Craig Baltes of LURHQ corp reported this on the DShield list:

===========================================================

Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have
seen
on isc.sans.org:
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

AND:
- On the 16th, syn-floods (with spoofed sources) windowsupdate.com.

--
Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig () lurhq com

===========================================================

Good luck!

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues () uconn edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 11)
- <Possible follow-ups>
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Jim Moore (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Doug Sandford (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)