New Virus alert w32.blaster.worm http://isc.sans.org/diary.html?date=2003-08-11 Quote: -------------------------------------------------------------------------------- This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. ********** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. ********** Increase in port 135 activity: http://isc.sans.org/images/port135percent.png Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th. (unconfirmed) The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes) So far we found the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update' Strings of interest: msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c known tftp servers for this worm: 204.210.57.87 217.211.179.193 24.147.64.171 24.147.64.205 24.147.64.208 24.147.65.146 24.147.65.45 24.147.65.9 61.254.65.159 67.119.36.219 68.112.65.38 68.166.102.136 68.166.107.21 68.166.111.175 68.166.120.34 68.166.121.135 68.166.123.4 68.166.124.186 68.166.124.93 68.166.139.155 68.166.139.210 68.166.141.66 68.166.142.194 68.166.142.215 68.166.36.178 68.166.56.123 68.166.60.51 68.166.98.3 -------------------------------------------------------------------------------- If you're getting the Windows Messenger popups and haven't got a firewall odds are this babies gonna infect YOU!!! If you've got a firewall and you're still getting the messages then configure it properly Get patching now boys... Full info along with patch details are here: http://www.microsoft.com/technet/tr...in/MS03-010.asp http://www.microsoft.com/technet/tr...in/MS03-026.asp The second link should fix this problem... I've made this a sticky for now guys, it'll manifest itself by the RPC service crashing constantly, you can use 'shutdown /a' to abort the shutdown, which should give you enough time to apply the patch.. Also delete any occurences of msblast.exe There's more here: https://tms.symantec.com/members/An...rt-DCOMworm.pdf
Blasters been out a fair while unless its a new variant of it... Natchi which was based blasters is a right bitch, we got well infected at work and its been a pain in the arse to get rid of download the MS updates to keep these little fucker out
