RPC DCOM Worm On The Loose

← Back to Stories (view on slashdot.org)

Posted by simoniker on Monday August 11, 2003 @08:58AM from the uh-oh-spaghettios dept.

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

33 of 604 comments (clear)

Great by mjmalone · 2003-08-11 08:58 · Score: 5, Funny

The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

--
Visualize the world of wine
1. Re:Great by rylin · 2003-08-11 09:00 · Score: 5, Funny
  
  I have a copy! You can fetch from 212.192.128.76:4444 ;)
2. Re:Great by Frymaster · 2003-08-11 09:03 · Score: 2, Funny
  
  in case the above gets slashdotted, the code is:
  An error occured while loading http://212.192.128.76:4444: Could not connect to host 212.192.128.76 (port 4444)
  
  --
  2 1337 4 u!
3. Re:Great by dieMSdie · 2003-08-11 09:05 · Score: 3, Funny
  
  Sure!
  
  Open all your ports and I'll see what I can do!
  
  --
  Don't throw your computer out the window, throw the Windows out of your computer!
I have already patched my entire network. by Znonymous+Coward · 2003-08-11 09:01 · Score: 4, Funny

It's called a firewall. It's proteced me from Nimda, Code Red, etc.

--
Karma: The shiznight, mostly because I am the Drizzle.
1. Re:I have already patched my entire network. by Anonymous Coward · 2003-08-11 09:08 · Score: 5, Funny
  
  It's called Linux. It's protected me from Nimda, Code Red, etc...
2. Re:I have already patched my entire network. by bigjocker · 2003-08-11 09:14 · Score: 4, Funny
  
  I used this patch instead in my whole network.
  
  --
  Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
3. Re:I have already patched my entire network. by TheGreenLantern · 2003-08-11 09:16 · Score: 5, Funny
  
  While I'm sure this is technically true, some of us are responsible for networks that are slightly more complicated than an XBox, an HP Pavilion downloading porn and bootlegs 24-7, and an old P2 running Suse in our parents basement.
  
  --
  
  It hurts when I pee.
4. Re:I have already patched my entire network. by Anonymous Coward · 2003-08-11 20:37 · Score: 1, Funny
  
  Good sir, I'm afraid you mistyped it as well.
Balmer by Anonymous Coward · 2003-08-11 09:01 · Score: 2, Funny

Developers developers developers..

erm...

security security security... erm ...

um...

somebody get me more cocain!
1. Re:Balmer by azzy · 2003-08-11 09:15 · Score: 2, Funny
  
  I think you need some e with that cocain
New title suggestion for this story by Kappelmeister · 2003-08-11 09:02 · Score: 4, Funny

Developers: RPC DCOM Worm On The Loose

Shouldn't that be:

Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose
I saw it happen LIVE! by __aaklbk2114 · 2003-08-11 09:05 · Score: 5, Funny

I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

Here I am thinking that I just screwed up their machine with the new apps somehow.

Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)
go ME! by StevenHallman76 · 2003-08-11 09:06 · Score: 5, Funny

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition

finally! all these years of running Win ME have paid off! so long suckers!
1. Re:go ME! by Sneftel · 2003-08-11 09:18 · Score: 4, Funny
  
  I'm afraid you stopped reading too soon. Here's the bit you missed:
  
  Sucks big fat sweaty donkey balls:
  
  * Microsoft Windows Millennium Edition
  
  --
  The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
2. Re:go ME! by Mista+LovaLova · 2003-08-11 10:35 · Score: 2, Funny
  
  Noooooooooooo!!!!! Now Corporate Execs will want to migrate all of our machines backward to WinME. They will probably think its newer since no one's heard of it!
OMG by stephenry · 2003-08-11 09:07 · Score: 5, Funny

OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!
Protection from the virus by Anonymous Coward · 2003-08-11 09:07 · Score: 3, Funny

I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!
Re:Effects by PolyDwarf · 2003-08-11 09:10 · Score: 2, Funny

Diagnose their systems this very minute? Screw the systems, there's /. to read!!
Re:Credit... by Dom2 · 2003-08-11 09:16 · Score: 2, Funny

Once again proving that they are doing little more than deriving from Unix:
There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson

From your local neighbourhood fortune cookie file.
-Dom
I'm safe by teamhasnoi · 2003-08-11 09:16 · Score: 4, Funny

I've rolled a saving throw against remote infection and I have +3 Fireproof armor, however I am still vulnerable to hot wood elves.
You did say this was a RPG worm, right?
WINE? by Anonymous Coward · 2003-08-11 09:19 · Score: 2, Funny

Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.

Thanks.
Port Scan your computer/net by k-hell · 2003-08-11 09:33 · Score: 1, Funny

I suggest you use GRC.com's excellent port scan feature if you got a Windows machine. It's called 'Shield's UP!' and is available here (scroll down a bit), and will scan your system's first 1052 ports.
Re:Credit... by GnomeKing · 2003-08-11 09:35 · Score: 5, Funny

At least Microsoft was nice enough to credit LSD in the tech note.

Is that what they were taking when they wrote the code?
Yawn.... by dfn5 · 2003-08-11 09:49 · Score: 2, Funny

They did this already last week on Stargate SG1 with that virus that spread from gate to gate and took down the whole network in 2+ hours. Can't these virus writers ever come up with something original?

--
-- Thou hast strayed far from the path of the Avatar.
Symantec by Zilfondel2 · 2003-08-11 10:13 · Score: 2, Funny

We're currently got 112 windows Xp lusers in our queue looking at a 2 hour wait time to talk to us virus removal techs. "Sorry, no removal instructions, call tomorrow." hehe
Other changes needed by accountant · 2003-08-11 10:15 · Score: 1, Funny

Is that the S word I see here?

http://www.microsoft.com/com/tech/DCOM.asp
I got this one... by UfoZ · 2003-08-11 10:26 · Score: 1, Funny

After manually updating my virus definitions and explicitly pointing NAV to the file, it still reckoned it's clean. Way to go, Norton. At least the MS patch seemed to work, although I've seen some people on IRC get repeatedly raped and always before they managed to download and install the patch. Sucks for them, I guess.

The worm, aptly named msblast.exe and happily sitting in my system32 folder, sending itsself to a bunch of random addresses (that happened to be in a reserved netblock and were timing out, go figure) was packed with UPX, after uncompressing and running strings on it here are some interesting finds:

msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Fun, hah? Way to go you bloody wanker, you made my day. I hope SAN (your right hand) loves you too.
Re:users being hit hard by TheRealFixer · 2003-08-11 10:54 · Score: 5, Funny

Yeah, except the stolen car doesn't take off by itself in the middle of the night and start hitting every other car it sees.
Re:On the way? by caluml · 2003-08-11 11:00 · Score: 2, Funny

I don't think this is a troll. It's a valid comment. The moderator that modded this troll is probably a Windows admin who's just realised that s/he's been infected.

--
Get your own free personal location tracker
Liar, liar, pants never on fire by Platinum+Dragon · 2003-08-11 12:42 · Score: 2, Funny

Nice try, but that bit about having a girlfriend was Just Too Obvious.

--

Someday, you're going to die. Get over it.
It's heeeerrreeee... by AndroidCat · 2003-08-11 12:45 · Score: 2, Funny

I wondered what all the cruft in the logs for port 135 over the last few hours was. There had been a low volume of port 135 hits over the couple of weeks, when usually there are almost none. I glanced at the logs while having a coffee, and immediately thought "Gee I wonder what MS exploit is loose this time?"
*sigh*

--
One line blog. I hear that they're called Twitters now.
I'm not sure about removing it.... by TheBoostedBrain · 2003-08-11 13:56 · Score: 5, Funny

Trend Micro says that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...

--
-- When did Ignorance Become a Point of View?