[60450] in North American Network Operators' Group
Re: RPC errors
daemon@ATHENA.MIT.EDU (Dominic J. Eidson)
Tue Aug 12 13:45:25 2003
Date: Tue, 12 Aug 2003 12:44:40 -0500 (CDT)
From: "Dominic J. Eidson" <sauron@the-infinite.org>
To: NANOG <nanog@merit.edu>
In-Reply-To: <3F3801ED.8000008@brightok.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 11 Aug 2003, Jack Bates wrote:
> Sean Donelan wrote:
>
> > http://isc.sans.org/diary.html?date=2003-08-11
> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> > vulnerable system, it will spawn a shell and use it to download the actual
> > worm via tftp.
> >
> > The name of the binary is msblast.exe. It is packed with UPX and will self
> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> > packed:
Has anyone seen/heard of this virus propagating through email in any way?
We appear to have been infected on a network that is very heavily
firewalled from the outside, and are trying to track down possibly entry
methods the worm might have had...
- d.
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
