Full Disclosure mailing list archives
RE: dobble-clicking msblast.exe
From: "Dowling, Gabrielle" <dowlingg () sullcrom com>
Date: Wed, 13 Aug 2003 01:27:29 -0400
Nick.... There is nothing magical except for the ubiquitous port it traverses on and the fact that is seems to managing to crash RPC on servers regardless of privilege and on patched systems once it gets onto a network.... If you recall, there was a second RPC vuln described around the time that MS03-26 came out., and for which MS has not issued a patch It seems this worm uses it, that was what all the svchost stuff was about (i.e., those machines weren't infected, they were rather negatively affected). G -----Original Message----- From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Sent: Tuesday, August 12, 2003 11:20 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] dobble-clicking msblast.exe martin f krafft <madduck () madduck net> wrote:
Does anyone know what happens if you run msblast.exe on an uninfected system?
It becomes infected and infective. There is nothing especially magical about the features of the worm program -- run it and it starts trying to spread (or to DoS windowsupdate.com depending on the date). Its function is certainly not affected by the way it gets onto a machine or whether it is launched by the exploit code or not (well, it may depend on some elevated privileges such as the those it gets as local system from the RPC exploit code running, as it does, as part of a system service). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- dobble-clicking msblast.exe martin f krafft (Aug 12)
- Re: dobble-clicking msblast.exe Nick FitzGerald (Aug 12)
- RE: dobble-clicking msblast.exe gml (Aug 13)
- <Possible follow-ups>
- RE: dobble-clicking msblast.exe Dowling, Gabrielle (Aug 12)
- RE: dobble-clicking msblast.exe Christopher Lyon (Aug 13)
- Re: dobble-clicking msblast.exe Nick FitzGerald (Aug 12)