Announcement

**KeLviN** · August 11, 2003, 13:22

thanx for the update.

**Gadsden** · August 11, 2003, 14:01

I have a copy of it I captured if anyone wants the exe to take the hex editor to. I am hesitant to post it because the thing is live and I am sure someone would shoot themselves in the foot with it. Anyone want/don't want me to post it? (If you do not have it already)

**Chris** · August 11, 2003, 15:00

Much as I would like to see the code (perhaps a PM with a link?) I am going to ask that you don't post it here. You are dead on, someone will screw up.

You could link to it somewhere from here...then at least I won't feel bad when ricky492842874 or *force* or <insertNickHere><insertStringOfNumbersHere> infects themselves.

**murakami** · August 11, 2003, 15:37

Yep, the IT news rags have reported a couple of universities have been hit. One of the admins interviewed said it would take a couple hours to manually disinfect each infected machine.

Betcha its Skynet ;)

**rusty** · August 11, 2003, 16:49

how to fix a infected machine

So how do you fix an infected machine?

1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
3) Patch DCOM for your OS or you'll just get it again. Rumor has it that the patch won't install onto machines with earlier service packs so if you have problems update your service pack first.
(the hotfix is not included with sp4 either)

Patch for all OS's here http://www.microsoft.com/security/se...s/ms03-026.asp

We had weeks of warning on this one, ever since the lsd-pl advisory about the dcom hole that this particular worm exploits.

Another interesting note is that dept of homeland security is calling for rpc / docm to be blocked at a firewall level across all US isp's.

Let's just hope we don't see an outlook e-mail version of this exploit. Something that uses an outlook hole to execute and take down networks from the inside. That could get REALLY messy.

patch your boxes.

-Rusty

**blackwave** · August 11, 2003, 18:48

Originally posted by Chris
Much as I would like to see the code (perhaps a PM with a link?)

I'd like a copy as well :) Thanks.

**baysick2k** · August 12, 2003, 06:43

new rcp worm

if you could please pm me w/ a link I would like to shoot my foot

**Gadsden** · August 12, 2003, 08:33

Originally posted by Chris
Much as I would like to see the code (perhaps a PM with a link?) I am going to ask that you don't post it here. You are dead on, someone will screw up.

You could link to it somewhere from here...then at least I won't feel bad when ricky492842874 or *force* or <insertNickHere><insertStringOfNumbersHere> infects themselves.

No problem.
Those that want it (if you have not already found it, it seems to be everywhere now) I will post it when I get home tonight, I am trapped at work.
PM me if ya want it.

**guano** · August 12, 2003, 10:19

Re: how to fix a infected machine

Originally posted by rusty
[B]So how do you fix an infected machine?

...
3) Patch DCOM for your OS or you'll just get it again. \[/B.

I have a firewall, I'm not infected, and 135 is closed. But, I thought "let's update just in case".

SP4 just hosed my Win2K system. I'm restoring from last night's backup (yes, I always backup before patching -- my only saving grace).

Which is worse? The virus or the patch?

**audit** · August 12, 2003, 11:02

Can we just castrate the people that caused this worm? While I'm at it, I'd like to castrate my boss as I've had to clean up over 60 systems that this has infected due to his lack of blocking NetBios traffic at the firewalls, after looking at the rules on them, the clients might has well saved their $$ because the fw's were'nt really doing shit for them, thank god they are all running the same thing and I was able to just upload my config file from the clients fw's that I'm in charge of to keep this from happening again.

audit

**Chris** · August 12, 2003, 11:28

Re: Re: how to fix a infected machine

Originally posted by guano
I have a firewall, I'm not infected, and 135 is closed. But, I thought "let's update just in case".

SP4 just hosed my Win2K system. I'm restoring from last night's backup (yes, I always backup before patching -- my only saving grace).

Which is worse? The virus or the patch?

You should also close (filter) 139 and 445. I would also block outbound 4444 just to be on the safe side.

**ch0l0man** · August 12, 2003, 11:31

damn shit got me last night kept causing an error in svchost, it has been happening for a few days already but i just figured it was time to reinstall windows again.
after getting hit hard last night and researching it i got it fixed.
forgot that turning my router off while i was in defcon reset it so after reconfiguring it i had no more problems.
msblast.exe didnt show up in the processes until after installing sp4 and the patch.

*sits back and waits for the lamer comments which i totally deserve for letting this worm get me*

MVA Offices Closed Due To Computer Virus

**baysick2k** · August 12, 2003, 13:41

Port blocks

You may also want to disable udp 69 (TFTP)...Im not sure which one but some varients of dcom.exe may start tftp services, the worm may do it aswell not sure...(waiting on che's copy)

BTW...this may or may not be related, I saw some funky stuff in some IDS logs....TFPT sending out broadcasts???....wtf

Im thinking a rooted box may be running snoop and the attacker is looking for TFTP responses so he knows what boxes he can upload to? am I on to anything?

**Grifter** · August 12, 2003, 13:53

This worm lacks wang.

Announcement

MS Worm Alert!

MS Worm Alert!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment