Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Worm On The Loose

Posted by simoniker on from the uh-oh-spaghettios dept.

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

7 of 604 comments (clear)

  1. users being hit hard by towaz · · Score: 5, Informative

    the call centre here is off the scale with people ringing in with rpc problems...
    all xp users though

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
  2. Credit... by chill · · Score: 5, Informative

    At least Microsoft was nice enough to credit LSD in the tech note.

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. Security Advisory by Blangopolis · · Score: 5, Informative
    The security advisory can be found here.

    After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

  4. Effects by Papa+Legba · · Score: 5, Informative

    This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

    Cagliostro

    --
    Papa Legba come and open the gate
  5. Increase in TCP 135 Activity by Anonymous Coward · · Score: 5, Informative

    This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

    57,003 1200 to 1230
    75,317 1230
    59,321 1300
    52,642 1330
    130,932 1400
    202,996 1430
    277,183 1500
    247,682 1530
    320,919 1600
    361,504 1630 to 1700

    milspec

  6. Re:Port 4444 by Anonymous Coward · · Score: 5, Informative

    Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

  7. I was *nailed* by this thing over the weekend by drgroove · · Score: 5, Informative

    At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

    Odd, I thought. I *am* the administrator.

    I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

    Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

    The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

    The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

    Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

    Hope that helps someone out there!