Port 135 RPC/DCOM Worm

Dustin Decker dustind at moon-lite.com
Mon Aug 11 23:37:00 CDT 2003 

On Mon, 11 Aug 2003, Kurt wrote:

> Could it be this? its _JUST_ out.
> http://www.f-secure.com/v-descs/msblast.shtml

Yes indeed.  I caught this at the border this morning with Norton 
Anti-Virus.  Mind you, I didn't yet have a signature for it - Bloodhound 
saw it and thought it looked "suspicious" so it scraped the executable off 
and left behind the registry information in a .txt file.  I didn't know 
what to make of it right away.  (Shameless plug for NAV by the way - I'm 
5+ years without a virus problem at the moment.)

Take a stroll over to:
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
(this information will be updated throughout the next few days so refresh 
to your liking.)

Symantec (and others) have been eating this thing all day, with varied 
reports.  Incidents.org has a brief blurb, as does slashdot.org.  The real 
question is whether or not the list of IP addresses from which this thing 
TFTP's itself is static or not.

The ultimate target appears to be windowsupdate.com provided your data is 
later than August 16th and earlier than December 31st.  Kinda makes me 
wonder what the purpose of the DoS condition against M$ is intended to be.  
It's either bragging rights (and much scorn when it doesn't effect them 
well enough) or an attempt to slow down patch availabilities while yet 
_another_ worm is in the works.  

/me shrugs.  The payload doesn't look all that elegant at first glance.  
Then again, that might be what is intended by the juvenile comments.  I 
could spend weeks considering the psychological profile worm authors and 
still never know what their motives _really_ are.

D.

-- 
o-----------------------------------o
| Dustin Decker - CNA, MCP          |
| dustin at dustindecker.com       o-----------------------------------------o
| Network Engineer              |  A white mountain, covered in snow      |
| Preferred Physicians Group    |  is beautiful.  When the snow melts     |
o-------------------------------|  away and reveals the green underneath, |
                                |  the mountain is again beautiful.  With |
                                |  every loss comes gain, and with every  |
				|  gain comes loss.                       |
                                o-----------------------------------------o

More information about the Kclug mailing list