Full Disclosure mailing list archives
RE: dobble-clicking msblast.exe
From: "Christopher Lyon" <cslyon () netsvcs com>
Date: Wed, 13 Aug 2003 13:08:21 -0700
Martin, The way I infected a machine was I coped it to the %systemroot%\system32 then run it. It won't do anything but give it a little time, you will know you are infected then the reg entry shows it. From there is goes out and tries to spread.
-----Original Message----- From: gml [mailto:gml () phrick net] Sent: Wednesday, August 13, 2003 11:32 AM To: nick () virus-l demon co uk; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] dobble-clicking msblast.exe I would think it would try to copy itself to %systemroot%\system32
find
that it doesn't have access to overwrite msblast.exe and then just keep executing, but then again. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Nick FitzGerald Sent: Tuesday, August 12, 2003 11:20 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] dobble-clicking msblast.exe martin f krafft <madduck () madduck net> wrote:Does anyone know what happens if you run msblast.exe on an uninfected system?It becomes infected and infective. There is nothing especially magical about the features of the worm program -- run it and it starts trying to spread (or to DoS windowsupdate.com depending on the date). Its function is certainly not affected by the way it gets onto a machine or whether it is launched by the exploit code or not (well, it may depend on some elevated privileges such as the those it gets as local system from the RPC exploit code running, as it does, as part of a system service). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- dobble-clicking msblast.exe martin f krafft (Aug 12)
- Re: dobble-clicking msblast.exe Nick FitzGerald (Aug 12)
- RE: dobble-clicking msblast.exe gml (Aug 13)
- <Possible follow-ups>
- RE: dobble-clicking msblast.exe Dowling, Gabrielle (Aug 12)
- RE: dobble-clicking msblast.exe Christopher Lyon (Aug 13)
- Re: dobble-clicking msblast.exe Nick FitzGerald (Aug 12)