Tweet
This worm lacks wang.
-
.: Grifter :.
-
We got hit pretty hard here at work.
Looks like machines that are effected are one sthat hadn't been updated with the critical patches in a while on 2k & XP.
This thing is just a pain. Nothing bad like the I LOVE YOU virus that went around in 2000.
MS: Security through Obsurity
--S--Shatter
"People demand freedom of speech to make up for the freedom of thought which they avoid."
- Soren Aabye Kierkegaard (1813-1855)Comment
-
an analysis
The following is a print out of all strings from the binary:
bash-2.05b$ strings -8 /tmp/msblast.exec
!This program cannot be run in DOS mode.
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ioctlsocket
inet_addr
inet_ntoa
recvfrom
setsockopt
gethostbyname
gethostname
closesocket
WSAStartup
WSACleanup
getpeername
getsockname
WSASocketA
InternetGetConnectedState
ExitProcess
ExitThread
GetCommandLineA
GetDateFormatA
GetLastError
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetTickCount
RtlUnwind
CreateMutexA
TerminateThread
CreateThread
RegCloseKey
RegCreateKeyExA
RegSetValueExA
__GetMainArgs
WS2_32.DLL
WININET.DLL
KERNEL32.DLL
ADVAPI32.DLL
CRTDLL.DLL"so many books, so little time"Comment
-
today sucked here too... bad worm.Comment
-
the only good worm is a gummy worm
Common Misconception:
We blocked all of the ports on our firewall so there is no way the virus can get into our network.
Shutting off the ports that the virus uses to spread on the firewall isn't enough.
A single laptop user could take their laptop home, and get infected then bring their laptop to work, plug it into their docking station and the next thing you know the network is infected from the inside.
Don't be lazy because you have a firewall......Apply the patch.
p.s. If anybody doesn't have a centralized way to patch their systems and is running into a lot of problems with this worm I put together a few tools as well as a rough tutorial to make the job easier. Send me an e-mail or a private message. :)Comment
-
I took today off work, and the worm made its rounds. Last time I took time off work, a virus came out. I think folks are going to look at me funny. :>Comment
-
-
-
<Evil Grin>Originally posted by blackwave
ew.. now that is damned scary...
auditComment
-
I agree 100%; and I figure it lacks wang on purpose. I think whomever wrote it wanted to give MS a backhand on the nutsack instead of causing major damage or make a political statement; otherwise it would just wipe the hard drive after a few hours of replication or aim a DDoS at a political target.Originally posted by Grifter
This worm lacks wang.
As big of a pain in the ass as it is, at least the worm has brought attention to lots of folks and forced them to patch a very nasy security hole..Happiness is a belt-fed weapon.Comment
-
Msblast?????
well i have it.
i dont execute files
nor do i mes with trojans.
i dont know how i got it., well
i guess that doesnt matter, i figured
houw it boots and fixed that.
also there is no legit info on this on google
what do u guys think
?
and also
i noticed in xp the startup methods are different
i dislike xp.
in my sytem editor i get jibbereish that i dont understand
and my registry editor doesnt give me the
registrys that the friggen file booted in.
i found it in the configuator under hkm_ sumthin or other
can someone give me some solid tips on startup methods?listen to my music [COLOR=sienna] [/COLOR]Comment
-
I had it too, it infects you if your windows is not up to date!
it uses a Windows flaw to access your computer somehow using the RPC which causes a system re-boot - thus leading to an initiation of the msblast.exe file and thus completing the infection process!
I am on Dial up so i did a quick server hop, downloaded the updates, then dialed back in using my regular ISP, now everything is ok!
:DComment
-
2 parts
Has anyone been able to capture the file that actually exploits the machine and then downloads msblast.exe ???
auditComment
-
oh ... anyone have the latest modified version of this worm ?Comment
-
I actually had the damn thing, but my anti-virus ate it as soon as I put in my usb drive that held it.. :(Originally posted by blackwave
oh ... anyone have the latest modified version of this worm ?Happiness is a belt-fed weapon.Comment
Comment