Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DCOM WORM Killer 2.0

From: w g <xillwillx () yahoo com>
Date: Fri, 15 Aug 2003 18:49:05 -0700 (PDT)

http://illmob.org/rpc/cleaners/dcom2.zip

kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb (gotta love 
assembly) 

                      Coded in MASM by:
                             illwill                  
                     xillwillx () yahoo com      
                        www.illmob.org       


                      DCOM worm killer (W32.Blaster.Worm) 
 Aliases:  W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
           WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]
etc..... blablablabla keep changing it motherfuckers we'll still find yer ass   :)


 This program is a tool to remove the malicious worm(s)
 that spread through exploiting the DCOM RPC vulnerability using TCP port 135. 
 This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
 Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, 
 allowing an attacker to issue remote commands on the infected system.
 This tool was made to Automate the process of removing the worm from memory and all files related to it.

-------------------------------------------------------------------------
 Directions:
 1. Execute the file called DCOM2.exe
       a. Deletes the registry values that have been added.
       b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes. 
       c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files. 
       d. Deletes the dropped files. 

-------------------------------------------------------------------------
Tech Info:
Startup registry keys-
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "windows auto update"="msblast.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "windows auto update"="penis32.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "Microsoft Inet Xp.."="teekids.exe"

Dropped files-
 Windows system directory (c:\windows\system32 c:\winnt\system32)
 'msblast.exe'  'penis32.exe'  'teekids.exe' 'root32.exe' 'index.exe'

Source:
http://illmob.org/sources/DCOM2.html
http://illmob.org/sources/DCOM2.asm



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Previous By Date Next
Previous By Thread Next

Current thread: