Full Disclosure mailing list archives
Re: possible MS03-026 worm?
From: tcpdumb <tcpdumb () pentiumbuster homelinux com>
Date: Sat, 2 Aug 2003 19:32:31 +0200
On Sat, 2 Aug 2003 11:58:00 -0500 "mobly99" <dhopper () ameritech net> wrote:
Seems to be a possible worm based on the RPC/DCOM exploit making the rounds?
Definetly. Depending on the logfiles from our Firewall at work, there must be something out there. Infected machines
found at:
156.34.222.0/24
194.96.90.0/24
196.30.232.0/24
200.0.0.0/8
202.0.0.0/8
and so on. Their traffic is about 50-75% of a day's traffic. Fortunately without any damage to our systems. The worm
seems to check hosts with a funny ryhtm within a Subnet:
IP=123.123.123.1
$IP+5
$IP+1
$IP+4
$IP+2
$IP+3
$IP+3
$IP+2
$IP+4
$IP+1
$IP+5
...
...
Dunno why but I found it out reading the 24h output of our Firewall. The coder must be stupid/[totally stoned] or
simply made a mistake coding the loops for scanning.
Strange thing,
Lukas
puts these files in %systemdrive% rpc.exe rpctest.exe tftpd.exe worm.exe lolx.exe also in %windir%\system32 lolx.exe dcomx.exe rpc.exe and dcomx.exe appear in the running tasks. I pulled samples of them and submitted to SARC. -Dave
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- <Possible follow-ups>
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- RE: RE: possible MS03-026 worm? Justin Shin (Aug 02)
- Re: RE: possible MS03-026 worm? morning_wood (Aug 02)
- Re: RE: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 03)
- Re: possible MS03-026 worm? Georgi Guninski (Aug 03)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)