Security Incidents mailing list archives
RE: Probable new MS DCOM RPC worm for Windows
From: Brian <bkporter () yahoo com>
Date: Thu, 25 Sep 2003 12:22:05 -0700 (PDT)
The increase in volume appears to coincide with flashky's (xfocus.org) 9/20 post "The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows". Coincidence? -----Original Message----- From: Williams Jon [mailto:WilliamsJonathan () JohnDeere com] Sent: Thursday, September 25, 2003 9:01 AM To: rnews () river com; full-disclosure () lists netsys com; incidents () securityfocus com Subject: RE: Probable new MS DCOM RPC worm for Windows Since I've been watching for a new worm that uses the MS03-039 vulnerability, when I saw this message, I went over to incidents.org to check out and see if they were seeing an increase, too. Lo and behold, their charts for both TCP 135 and TCP 80 show dramatic increases in traffic over the past few days. Port 135 is up from 377,000 targets on 9/20 to 1,900,000 targets on 9/23, and 80 is up from 880,000 records on 9/20 to 3,527,000 on 9/23. Despite this, I'm not seeing anything else on the lists about a new worm. Is anyone seeing anything new out there, or is this just a resurgence of Welchia? -----Original Message----- From: Richard Johnson [mailto:rnews () whirlpool river com] Sent: Wednesday, September 24, 2003 10:03 AM To: full-disclosure () lists netsys com; incidents () securityfocus com Subject: Re: Probable new MS DCOM RPC worm for Windows On Sat, 20 Sep 2003 14:41:39 -0600, Richard Johnson <rdump () river com> wrote:
We've noticed increased scan activity on port 135,
ramping up over the
past 20 hours. The scanning appears to concentrate on nearby
/16s... We finally had infections occur on Tuesday evening showing the same scan behavior. Sysadmins doing cleanup report Norton and McAfee IDed the bug as W32.Welchia. I don't know whether it was a variant using one of the two new RPC holes, or just month-old Welchia. That's because the hosts hit were traditional non-compliant lab machines and non-adminned remote office or home hosts. In other words, they were still vulnerable to the original blaster worm. The US Dept. of State's CLASS was hit by this one, and it looks like they shut down for a short while to contain it: http://www.azcentral.com/news/articles/0924ComputerVirus24-ON.html Richard -- To reply via email, make sure you don't enter the whirlpool on river left. My mailbox. My property. My personal space. My rules. Deal with it. http://www.river.com/users/share/cluetrain/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- ===== </> Brian Porter </> PGP Public Key: </> 0xE172E7B0 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Brian (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows James C. Slora, Jr. (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 28)