Page 7 of 9 FirstFirst ... 56789 LastLast
Results 61 to 70 of 89

Thread: RPC/DCOM/mblast.exe thread discussions/notices

  1. #61

    Blaster changing

    Hi, yesterday I was able to repair several infected computers now I can't seem to get any fixed.
    the computers give an error message and freeze
    symantec repair stops at file "kelt b", then windows want to send an error message and shut down the repair program
    tired of being called an ass

  2. #62
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Blaster B & C have been identified..

    The symantec Security response Site has the details.. It looks like the Symantec removal tool info state removal of A & B..

    oh the link http://securityresponse.symantec.com/

    With removal .. I have a couple of the tools.. If one don't work , I use the other....

    Funny thing getting a lot of win 9x machines .. ppl spooked by the news.. Spybot fixes these..lol

    Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #63
    Here is another version of the DCOM shizzle that I could not find information for on any AV sites.
    http://www.securityfocus.com/archive...9/2003-08-15/0
    It looks like some sort of autorooter but not like a worm.
    And it open port 666 not 4444

  4. #64
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    So, how much port 135 traffic is everyone seeing at their firewall?
    At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!

    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #65
    Cerveza,

    Yeah that is Kaht2 which is the autor00ter/scanner for the dcom exploit. Its basically useless now for the script kiddings, thankfully, due to most ISP intelligently blocking port 135.

    Kaht1 was a autor00ter for Webdav exploit.

  6. #66
    Senior Member
    Join Date
    Feb 2002
    Posts
    262
    i go to school this morning and over the intercome i hear "please dont go on the internet on any of the balck computers (we just got about 100 of these new dell comps with win xp pro on them) there is a virus on them" well pretty much all of are computers are the "black" ones so yeah i though that was kinda funny.
    aislinn, Aria, BTBAM, chevelle, codeseven, Cky, dredg, evergreen terrace, from autumn to ashes,hopesfall, hxc, luti-kriss, nirvana, norma jean, shai hulud, this hero dies, tool, underoath, zao,

  7. #67
    Junior Member
    Join Date
    Jul 2003
    Posts
    6
    This sorta has to do with this virus.....I wasn't sure what to do about the virus so I disable the RPC in services. Now I can't get into properties to reenable the RPC. Then whenever I try to install the patch to get rid of the worm it says I need the cryptography working, and I can't figure out what that is. So...if you have any advice, its greatly needed. Thank you.




    Jaimie

  8. #68
    Banned
    Join Date
    Apr 2003
    Posts
    3,839
    You can enable RPC by using the sp_serveroption system stored procedure. To enable RPC from the ProductSQL server, you can use the following:

    USE master
    EXEC sp_serveroption 'ProductSQL', 'rpc', 'true'




    To enable RPC to the ProductSQL server, you can use the following:

    USE master
    EXEC sp_serveroption 'ProductSQL', 'rpc out', 'true'
    Go to the following site and download the removal tool for the worm.
    http://www.sarc.com/avcenter/venc/da...ster.worm.html
    After you remove it, reboot and then click on start/run and type in sfc /scannow.
    This will repair all of the original files and you will be back in order.
    I had to do it tonight myself, and it fixed everything.
    http://www.computing.net/windowsxp/w...rum/73906.html

  9. #69
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I'm not sure if anyone has run across this yet but even if they have, I think it is worth repeating:

    * If you apply SP4 or any other SP to a box, you must re-install the RPC patch afterwards and then reboot even though the damn thing doesn't tell you to do so (the RPC patch that is).

    What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again. Yes, we reported this to MS but hae heard nothing back yet.

    Anyway, just an FYI for those who are in the trenches trying to remediate this garbage.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #70
    Originally posted here by ammo
    So, how much port 135 traffic is everyone seeing at their firewall?
    At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!

    Ammo

    Most certainly an increase on my end here. I'd say that I'm averaging about 8 attempts to connect on port 135 every 3/4 minutes (all blocked of course).

    That's a pretty good number of hits there, Ammo!


    What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again.
    I guess better late than never, right? Seriously though, just another example of the need to patch...

    That's good info to know, thehorse13 - I appreciate it....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •