Page 2 of 9 FirstFirst 1234 ... LastLast
Results 11 to 20 of 89

Thread: RPC/DCOM/mblast.exe thread discussions/notices

  1. #11
    I thought that you coudln't get a virus or a worm unless you executed the file? Can someone clear this up for me?

  2. #12
    This worm, scans other ip addresses for the RPC exploit that came out recently. When it finds a box that it can exploit...it opens a shell on the remote host and then using that shell downloads a file to the hacked computer. It then launches that program and adds it to the registry so it starts again on reboot.

    Basically the worm hacks the box and installs itself on that box.

  3. #13
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    another thing about msblast.exe taken from www.mess.be
    D'z warned me about a hole in the MSN Messenger protocol that has lately been taken advantage of. It's the first thing I hear about it, but according to him "several people have already been hit by exploiters, gaining too much access".

    To find out whether you're infected, press Ctrl+Alt+Del and verify if the process 'MsBlast.exe' is running. If it is, consider following the instructions below, but since there is no official security bulletin released on this topic yet... you are on your own.

    - Kill the process MsBlast.exe from the task manager you just checked.
    - Next, execute regedit.exe and search for the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Auto Update

    If it mentions MSBLAST in the path, remove that.

    - Final step: delete msblast.exe from either the windows system or and system32 folders.
    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  4. #14
    Man... thats like... amazing... i didn't think a program could hack a computer by itself! But to get a "virus"(not a worm, a virus) someone has to actually start the file right?

  5. #15
    Worms spread on their own and dont require human intervention. That is what makes them a worm.

    Grinler

  6. #16
    I can't remove it! Someone help!

  7. #17

    Exclamation Heads Up: RPC Exploit Worm Active

    Massive increase in scanning on port 135, about one scan every 10 seconds.

    Internet Storm Center have posted a Yellow Alert, text of which follows.

    Scanning is done Code Red style, concentrating on the pseudo-class B subnet that the infect host is in, i.e. the 65,536 hosts in 123.123.x.x.

    This will mostly likely cause RPC and svchost failures in unprotected machines.

    See: ISC Handlers Diary
    Slashdot

    Updated August 11th 2003 17:59 EDT
    RPC DCOM WORM (MSBLASTER)
    This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

    **********
    NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********


    Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

    In order to protect yourself, you need to :
    Close port 135 (if possible 135-139, 445 and 593)
    Apply Patches http://www.microsoft.com/technet/sec...n/MS03-026.asp


    If you are infected:
    - disconnect machine from any network
    - delete msblast.exe - delete registry key staring msblast.exe - reboot.


    The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

    The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

    Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
    2. this causes a remote shell on port 4444 at the TARGET
    3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
    4. the target will now connect to the tftp server at the SOURCE.


    The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

    MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

    So far we found the following properties:

    - Scans sequentially for machines with open port 135, starting at a presumably random IP address
    - uses multiple TFTP servers to pull the binary
    - adds a registry key to start itself after reboot


    Name of registry key:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

    Strings of interest:

    msblast.exe
    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!
    windowsupdate.com
    start %s
    tftp -i %s GET %s
    %d.%d.%d.%d
    %i.%i.%i.%i
    BILLY
    windows auto update
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c




  8. #18
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Ok.. this is great..

    The initial info I have is about what the worm does.. How are ppl recieving it?

    This worm, scans other ip addresses for the RPC exploit that came out recently. When it finds a box that it can exploit...it opens a shell on the remote host and then using that shell downloads a file to the hacked computer. It then launches that program and adds it to the registry so it starts again on reboot.

    Basically the worm hacks the box and installs itself on that box.
    Thanks Grinler, the info from Symantec if useless (too early for me to check the others)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #19
    I tried to scan my computer but it didn't find anything.

  10. #20
    Found a bit more info here
    Does this help?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •