[60403] in North American Network Operators' Group
Re: RPC errors
daemon@ATHENA.MIT.EDU (Chris Reining)
Mon Aug 11 17:37:10 2003
Date: Mon, 11 Aug 2003 16:35:41 -0500
From: Chris Reining <creining@packetfu.org>
To: Sean Donelan <sean@donelan.com>
Cc: Jack Bates <jbates@brightok.net>, NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.44.0308111616400.3565-100000@clifden.donelan.com>; from sean@donelan.com on Mon, Aug 11, 2003 at 04:17:53PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
--ILuaRSyQpoVaJ1HG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Aug 11, 2003 at 04:17:53PM -0400, Sean Donelan wrote:
> On Mon, 11 Aug 2003, Jack Bates wrote:
> > I'm showing signs of an RPC sweep across one of my networks that's
> > killing some XP machines (only XP confirmed). How wide spread is this at
> > this time. Also, does anyone know if this is just generating a DOS
> > symptom or if I should be looking for backdoors in these client systems?
>=20
> http://isc.sans.org/diary.html?date=3D2003-08-11
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> vulnerable system, it will spawn a shell and use it to download the actual
> worm via tftp.
>=20
> The name of the binary is msblast.exe. It is packed with UPX and will self
> extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> packed:
I have a copy of this worm at
http://www.packetfu.org/malware/msblast.zip
--ILuaRSyQpoVaJ1HG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/OAwp9o8McMKeWQYRAouzAKC0SONr23VTocB9sXLUho8ihJkAzgCfWDWc
O5vlgMbxYhffrBrAaanTaio=
=jCat
-----END PGP SIGNATURE-----
--ILuaRSyQpoVaJ1HG--
