Full Disclosure mailing list archives
Re: [UPDATE] ping floods
From: "benjurry" <benjurry () szcert org>
Date: Tue, 19 Aug 2003 01:08:54 +0800
This worn written by VC++6.0 and compressed by UPX. Its size is 10240 bytes. The worm's aim is to remove the msblast anf patch the system,which infects by RPC DCOM and WebDEV. When it go into the system ,it copy %systemroot%\system32\dllcache\tftpd.exe to %systemroot%\system32\wins\svchost.exe ,then create the service named RPCTftpd ,and its Display is ""Network Connections Sharing". And then It copy himself to %systemroot%\system32\wins\dllhost.exe ,then create the service named RpcPath . 3rd,the worm will check the process "msblast" and remove it ,then download the patch form the M$ according diffrent language version,and patch system with parameter "-n -o -z -q". Then it scan the subnet with ICMP filled with ,whose type is "echo" and size is 92 bytes ,so there are large volumes of ICMP traffic in network .when the worm find a host ,it will try to infect with RPC DCOM and Webdev, If sucess it will listen a TCP port less than 1000 to send the file.If the year is 2004,then it will remove itself.So the easiest way to remove is adjust your time. It seems it is a "good " worm to clean msblast:) benjurry ----- Original Message ----- From: "Sam Pointer" <sam.pointer () hpdsoftware com> To: "'Abraham, Antony (Cognizant)'" <Antony () blr cognizant com>; <B3r3n () argosnet com>; <full-disclosure () lists netsys com> Sent: Tuesday, August 19, 2003 12:15 AM Subject: RE: [Full-disclosure] [UPDATE] ping floods
Antony Abraham wrote:http://vil.nai.com/vil/content/v_100559.htm New RPC worm which will generate lot of ICMP traffic.Well I guess it would appear from this portion of NAI's analysis that someone was listening to the thread on this list about writing an anti-blaster worm: "The worm carries links to various patches for the MS03-026 vulnerability: ... The worm attempts to download and install one of these patches on the victim machine." This email and any attachments are strictly confidential and are intended solely for the addressee. If you are not the intended recipient you must not disclose, forward, copy or take any action in reliance on this message or its attachments. If you have received this email in error please notify the sender as soon as possible and delete it from your computer systems. Any views or opinions presented are solely those of the author and do not necessarily reflect those of HPD Software Limited or its affiliates. At present the integrity of email across the internet cannot be guaranteed and messages sent via this medium are potentially at risk. All liability is excluded to the extent permitted by law for any claims arising as a re- sult of the use of this medium to transmit information by or to HPD Software Limited or its affiliates. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [UPDATE] ping floods B3r3n (Aug 18)
- <Possible follow-ups>
- [UPDATE] ping floods B3r3n (Aug 18)
- RE: [UPDATE] ping floods Abraham, Antony (Cognizant) (Aug 18)
- RE: [UPDATE] ping floods Stahlkrantz, Mats (Mats) (Aug 18)
- RE: [UPDATE] ping floods Jerry Heidtke (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- Re: [UPDATE] ping floods Chris G. Turner (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- RE: [UPDATE] ping floods Dolinar, Jon (Aug 18)
- RE: [UPDATE] ping floods Abraham, Antony (Cognizant) (Aug 18)
- RE: [UPDATE] ping floods Sam Pointer (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- RE: [UPDATE] ping floods Drew Copley (Aug 18)
- RE: [UPDATE] ping floods B3r3n (Aug 18)
- Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods Drew Copley (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- Re: [UPDATE] ping floods B3r3n (Aug 18)
- RE: [UPDATE] ping floods r1an (Aug 18)
- re: [UPDATE] ping floods loper (Aug 18)
- RE: re: [UPDATE] ping floods MacDougall, Shane (Aug 18)