Full Disclosure mailing list archives
Re: Windows Dcom Worm Killer and source code
From: w g <xillwillx () yahoo com>
Date: Wed, 13 Aug 2003 19:46:09 -0700 (PDT)
source available here http://illmob.org/sources/DCOMkill.html 1.6 kb assembly program to kill and remove the dcom worm http://illmob.org/files/dcomkiller.zip DETAILS: DCOM worm killer (W32.Blaster.Worm) Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure] WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda] Coded in MASM by: illwill xillwillx () yahoo com www.illmob.org 8/13/2003 This program is a tool to remove the malicious worm th! at spreads through exploiting the DCOM RPC vulnerability using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it. Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system. This tool was made to Automate the process of removing the worm from memory and all files related to it. ------------------------------------------------------------------------- Directions: 1. Execute the file called DCOMKill.exe This will automatically kill the worms process running in memory and remove the registry startup method and then it will erase any files left by the worm. 2. All done :) ... next step W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders. ------------------------------------------------------------------------- Tech Info: Startup registry key- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update"="msblast.exe" Dropped files- Windows system directory (c:\windows\system32 c:\winnt\system32) msblast.exe Note: if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Source: available upon request. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo.
Current thread:
- Re: Windows Dcom Worm planned DDoS, (continued)
- Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 16)
- Re: Windows Dcom Worm planned DDoS Sebastian Niehaus (Aug 12)
- Re: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
- Re: Re: Windows Dcom Worm planned DDoS Sebastian Niehaus (Aug 13)
- Re: Windows Dcom Worm planned DDoS Reveret Julien (Aug 12)
- Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- RE: Windows Dcom Worm planned DDoS Wcc (Aug 12)
- Windows Dcom Worm Killer w g (Aug 13)
- Re: Windows Dcom Worm Killer Joey (Aug 13)
- Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
- Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- Windows Dcom Worm Killer w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- DDos counter measures Laurent LEVIER (Aug 14)
- Re: DDos counter measures Nick FitzGerald (Aug 14)
- Re: DDos counter measures Gael Martinez (Aug 14)
- Re: DDos counter measures Charles Ballowe (Aug 15)
- Re: DDos counter measures B3r3n (Aug 15)
- Re: DDos counter measures Vladimir Parkhaev (Aug 14)
- Re: DDos counter measures Matthew Lange (Aug 15)
- Re: DDos counter measures B3r3n (Aug 15)