Full Disclosure mailing list archives
Re: Windows RPC/DCOM - MSBlast Worm
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 11 Aug 2003 22:33:57 -0500
--On Monday, August 11, 2003 15:42:36 -0400 Craig Baltes <craig () lurhq com> wrote:
Here's more on the new Windows RPC/DCOM worm. This one seems pretty simple so far. It does most of what you may have seen on isc.sans.org: - exploits via port 135/RPC. - downloads binary (msblast.exe) via tftp. - adds a registry key to re-start after reboot AND: - On the 16th, syn-floods (with spoofed sources) windowsupdate.com.From the looks of it, the worm shouldn't have much problem doing that. So
far I'm seeing hits from the following ISPs worldwide: verizon.net genuity.net shawcable.com attbi.com insightbb.com socal.rr.com adephia.net mindspring.com charterwv.net blueyonder.co.uk retevision.es pacbell.net sympatico.ca everett.wa.da.uu.net austin.rr.com nc.rr.com rochester.rr.com coastalnow.net videotron.ca radiant.net chartermi.net satx.rr.com Dallas1.level3.net Philadelphia.level3.net comcast.net fredericksburg2.va.da.uu.net holman.wa.da.uu.net seymour.in.da.uu.net nj.comcast.net mi.comcast.net ameritech.net pa.comcast.net cox.net airstreamcomm.net forward012.net.il numericable.fr wanadoo.fr aol.com telesp.net.br gvt.net.br bigpond.net.au optusnet.com.au netvigator.com mn.frontier.net dial.up.net corecomm.net ma.cable.rcn.com rasserver.net seed.net.tw hansenet.de chello.nl telia.com qualitynet.net dip.t-dialin.net tpnet.pl telia.com Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows RPC/DCOM - MSBlast Worm Craig Baltes (Aug 11)
- Re: Windows RPC/DCOM - MSBlast Worm Paul Schmehl (Aug 11)