Page 9 of 9 FirstFirst ... 789
Results 81 to 89 of 89

Thread: RPC/DCOM/mblast.exe thread discussions/notices

  1. #81
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Exclamation

    Just found this update from sophos ...


    W32/Blaster-E is functionally equivalent to W32/Blaster-A, except for the following changes:




    The registry entry used has been changed to
    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Run\Windows Automation

    The target for the Distributed Denial-of-Service attack has been changed to kimble.org

    The internal message has been changed to
    "I dedicate this particular strain to me ANG3L -
    hope yer enjoying yerself and dont forget the
    promise for me B/DAY !!!!."
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #82
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    With Activity in the media.. you would think many of the dumb asses would have atleast heard of the MSblaster/lovsan worm.. but nooooo..

    had five systems today infected with each of the RPC-DCOM worms today..
    and ALL of them are with the ISP I mentioned above.. dunno if I should also send a bill for frigging around to the ISP for their stupidity..

    think I will check out Bundy or J.D,,

    And wash my mind of the stupids..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #83
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Seems the FBI have their sights set on an 18 year old as one of the authors of MSblaster .... news is currently being carried on most the major news websites ....

    U.S. cyber investigators have identified a teenager as one author of a damaging virus-like infection unleashed weeks ago on the Internet and plan to arrest him early Friday, a U.S. official confirmed.

    The 18-year-old was accused of writing a version of the damaging "Blaster" computer infection that spread quickly across the Internet, the official said, speaking on condition of anonymity. The official asked that further identifying information about the teenager not be disclosed until the arrest. " --- snippet from CNN.com
    Wouldn't like to be in his shoes .... no doubt the spooks have tabs on him right now watching him squirm as this news breaks.

    Oh how the worm turns .... sorry couldn't help myself on that one !!

  4. #84
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    link please

    ta .... either to busy or I am to lazy.. (me thinks it is the latter)

    cheers

    Sry for being rude
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #85
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Sorry about the lack of links - CNN and Foxnews are carrying the story on links off their front pages at this time .... but anyway here you go.

    http://www.foxnews.com/story/0,2933,95978,00.html
    http://www.cnn.com/2003/TECH/interne....ap/index.html

    .... even believe the Sydney Morning Herald site is carrying the story.

  6. #86
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Reply from ISP..

    The ports were unblocked due to an internal decision
    I will word my reply when sober

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #87
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    How is everyone else going here..

    Seems the infection rate is on the upper here.. 3 repairs here today.. all MSblaster.. one machine infected with in 5 mins of signup with isp.. customer was not impressed.. I was less impressed when the ISP claimed the fault was the modem..
    nothing worse than when the tech support is "Battery Hens"..

    oh and five other enquiries.. also appear the RPC-DCOM worms related..

    give me a bigger gun..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #88
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Originally posted here by Und3ertak3r
    How is everyone else going here..

    Seems the infection rate is on the upper here.. 3 repairs here today.. all MSblaster.. one machine infected with in 5 mins of signup with isp.. customer was not impressed.. I was less impressed when the ISP claimed the fault was the modem..
    nothing worse than when the tech support is "Battery Hens"..

    oh and five other enquiries.. also appear the RPC-DCOM worms related..
    Attempted infections declining here - from 16 pages of attempts down to 9 pages now.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  9. #89
    Senior Member
    Join Date
    May 2003
    Posts
    472
    a new worm exploiting RPC/DCOM has appeared...

    NAME: Raleka
    ALIAS: Worm.Win32.Raleka, W32/Raleka, W32/Raleka.worm, WORM_RALEKA

    VARIANT: Raleka.A


    This worm is probably of Spanish origin given the text strings it contains. It is UPX packed and has length of 14KB (14880 bytes).

    The worm will attempt to download additional components form an fixed URL in its code. If the download fails, the worm will sleep for 5 minutes before attempting to download it again.

    The downloaded files are placed in the Window's 'System32' folder, and are named:


    ntrootkit.exe
    ntrootkit.reg

    Those files are a part of a backdoor detected as Backdoor.RtKit.11.a by FSAV.

    It will scan random ranges of IP addresses attempting to exploit the aforementioned vulnerability.

    It has an IRC backdoor component, which will connect to a servers from an internal list and then join to a channel form where to received further instructions. One of the instructions which can be given to the worm is to download and execute the Microsoft patch (only the Spanish version) of the RPC vulnerability.


    VARIANT: Raleka.B
    ALIAS: W32/Raleka-B, WORM_RALEKA.B, W32/Raleka.worm


    A new variant of Raleka worm known as Raleka.B was found. F-Secure Anti-Virus detects it as Worm.Win32.Raleka.b.

    Link Here : http://www.f-secure.com/v-descs/raleka.shtml
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •