Full Disclosure mailing list archives

Re: Windows Dcom Worm Killer and source code

From: w g <xillwillx () yahoo com>
Date: Wed, 13 Aug 2003 19:46:09 -0700 (PDT)

source available here
http://illmob.org/sources/DCOMkill.html

1.6 kb assembly program to kill and remove the dcom worm

http://illmob.org/files/dcomkiller.zip

DETAILS:

DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Coded in MASM by:
illwill
xillwillx () yahoo com
www.illmob.org

8/13/2003
This program is a tool to remove the malicious worm
th! at spreads through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOMKill.exe
This will automatically kill the worms process
running in memory and remove the registry startup method
and then it will erase any files left by the worm.

2. All done :) ... next step
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it
updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this
feature,
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or
Trojan
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.

Current thread:

Re: Windows Dcom Worm planned DDoS, (continued)
- - - Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 16)
  - Re: Windows Dcom Worm planned DDoS Sebastian Niehaus (Aug 12)
    - Re: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
    - Re: Re: Windows Dcom Worm planned DDoS Sebastian Niehaus (Aug 13)
    - Re: Windows Dcom Worm planned DDoS Reveret Julien (Aug 12)
    - Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- RE: Windows Dcom Worm planned DDoS Wcc (Aug 12)
  - Windows Dcom Worm Killer w g (Aug 13)
    - Re: Windows Dcom Worm Killer Joey (Aug 13)
    - Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
    - Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS VBuster (Aug 12)
  - RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
    - DDos counter measures Laurent LEVIER (Aug 14)
    - Re: DDos counter measures Nick FitzGerald (Aug 14)
    - Re: DDos counter measures Gael Martinez (Aug 14)
    - Re: DDos counter measures Charles Ballowe (Aug 15)
    - Re: DDos counter measures B3r3n (Aug 15)
    - Re: DDos counter measures Vladimir Parkhaev (Aug 14)
    - Re: DDos counter measures Matthew Lange (Aug 15)
  - Message not available
    - Re: DDos counter measures B3r3n (Aug 15)