Educause Security Discussion mailing list archives
DShield and Symantec report MSBlast in wild
From: Phil Rodrigues <Phil.Rodrigues () UCONN EDU>
Date: Mon, 11 Aug 2003 16:18:50 -0400
DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135 has been released in the wild: http://isc.sans.org/ http://tms.symantec.com Craig Baltes of LURHQ corp reported this on the DShield list: =========================================================== Here's more on the new Windows RPC/DCOM worm. This one seems pretty simple so far. It does most of what you may have seen on isc.sans.org: - exploits via port 135/RPC. - downloads binary (msblast.exe) via tftp. - adds a registry key to re-start after reboot AND: - On the 16th, syn-floods (with spoofed sources) windowsupdate.com. -- Craig Baltes GCIA, CCSE Senior Information Security Analyst LURHQ corp. www.lurhq.com craig () lurhq com =========================================================== Good luck! Phil ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 11)
- <Possible follow-ups>
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Jim Moore (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Doug Sandford (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)