Announcement

Collapse
No announcement yet.

MS Worm Alert!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • MS Worm Alert!

    Holy shit.. here we go again.. another worm is on the loose. I have already picked it off of a system in the wild, so it is on the loose. At least it did not hit during the con, or we would never hear the end of it.. Now we get to hear about all the sheeple with port 135 open...

    Quick Details of the worm
    Happiness is a belt-fed weapon.

  • #2
    thanx for the update.
    the fresh prince of 1337

    To learn how to hack; submit your request

    Comment


    • #3
      I have a copy of it I captured if anyone wants the exe to take the hex editor to. I am hesitant to post it because the thing is live and I am sure someone would shoot themselves in the foot with it. Anyone want/don't want me to post it? (If you do not have it already)
      Happiness is a belt-fed weapon.

      Comment


      • #4
        Much as I would like to see the code (perhaps a PM with a link?) I am going to ask that you don't post it here. You are dead on, someone will screw up.

        You could link to it somewhere from here...then at least I won't feel bad when ricky492842874 or *force* or <insertNickHere><insertStringOfNumbersHere> infects themselves.
        perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

        Comment


        • #5
          Yep, the IT news rags have reported a couple of universities have been hit. One of the admins interviewed said it would take a couple hours to manually disinfect each infected machine.

          Betcha its Skynet ;)

          Comment


          • #6
            how to fix a infected machine

            So how do you fix an infected machine?

            1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
            2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
            3) Patch DCOM for your OS or you'll just get it again. Rumor has it that the patch won't install onto machines with earlier service packs so if you have problems update your service pack first.
            (the hotfix is not included with sp4 either)

            Patch for all OS's here http://www.microsoft.com/security/se...s/ms03-026.asp

            We had weeks of warning on this one, ever since the lsd-pl advisory about the dcom hole that this particular worm exploits.

            Another interesting note is that dept of homeland security is calling for rpc / docm to be blocked at a firewall level across all US isp's.

            Let's just hope we don't see an outlook e-mail version of this exploit. Something that uses an outlook hole to execute and take down networks from the inside. That could get REALLY messy.

            patch your boxes.

            -Rusty

            Comment


            • #7
              Originally posted by Chris
              Much as I would like to see the code (perhaps a PM with a link?)
              I'd like a copy as well :) Thanks.

              Comment


              • #8
                new rcp worm

                if you could please pm me w/ a link I would like to shoot my foot

                Comment


                • #9
                  Originally posted by Chris
                  Much as I would like to see the code (perhaps a PM with a link?) I am going to ask that you don't post it here. You are dead on, someone will screw up.

                  You could link to it somewhere from here...then at least I won't feel bad when ricky492842874 or *force* or <insertNickHere><insertStringOfNumbersHere> infects themselves.
                  No problem.
                  Those that want it (if you have not already found it, it seems to be everywhere now) I will post it when I get home tonight, I am trapped at work.
                  PM me if ya want it.
                  Happiness is a belt-fed weapon.

                  Comment


                  • #10
                    Re: how to fix a infected machine

                    Originally posted by rusty
                    [B]So how do you fix an infected machine?

                    ...
                    3) Patch DCOM for your OS or you'll just get it again. \[/B.
                    I have a firewall, I'm not infected, and 135 is closed. But, I thought "let's update just in case".

                    SP4 just hosed my Win2K system. I'm restoring from last night's backup (yes, I always backup before patching -- my only saving grace).

                    Which is worse? The virus or the patch?

                    Comment


                    • #11
                      Can we just castrate the people that caused this worm? While I'm at it, I'd like to castrate my boss as I've had to clean up over 60 systems that this has infected due to his lack of blocking NetBios traffic at the firewalls, after looking at the rules on them, the clients might has well saved their $$ because the fw's were'nt really doing shit for them, thank god they are all running the same thing and I was able to just upload my config file from the clients fw's that I'm in charge of to keep this from happening again.

                      audit

                      Comment


                      • #12
                        Re: Re: how to fix a infected machine

                        Originally posted by guano
                        I have a firewall, I'm not infected, and 135 is closed. But, I thought "let's update just in case".

                        SP4 just hosed my Win2K system. I'm restoring from last night's backup (yes, I always backup before patching -- my only saving grace).

                        Which is worse? The virus or the patch?
                        You should also close (filter) 139 and 445. I would also block outbound 4444 just to be on the safe side.
                        perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

                        Comment


                        • #13
                          damn shit got me last night kept causing an error in svchost, it has been happening for a few days already but i just figured it was time to reinstall windows again.
                          after getting hit hard last night and researching it i got it fixed.
                          forgot that turning my router off while i was in defcon reset it so after reconfiguring it i had no more problems.
                          msblast.exe didnt show up in the processes until after installing sp4 and the patch.

                          *sits back and waits for the lamer comments which i totally deserve for letting this worm get me*

                          MVA Offices Closed Due To Computer Virus
                          Last edited by ch0l0man; August 12, 2003, 13:25.
                          "so many books, so little time"

                          Comment


                          • #14
                            Port blocks

                            You may also want to disable udp 69 (TFTP)...Im not sure which one but some varients of dcom.exe may start tftp services, the worm may do it aswell not sure...(waiting on che's copy)

                            BTW...this may or may not be related, I saw some funky stuff in some IDS logs....TFPT sending out broadcasts???....wtf

                            Im thinking a rooted box may be running snoop and the attacker is looking for TFTP responses so he knows what boxes he can upload to? am I on to anything?

                            Comment


                            • #15
                              This worm lacks wang.
                              .: Grifter :.

                              Comment

                              Working...
                              X