Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Cleanup Worm Appears

Posted by simoniker on from the someone-with-twisted-sense-of-humor dept.

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

35 of 758 comments (clear)

  1. that's cute by Anonymous Coward · · Score: 5, Funny

    Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux

    1. Re:that's cute by krisp · · Score: 4, Funny

      I'd settle for a worm that downloaded a kernel and loadlin.exe. The kernel would boot an included ramdisk image that changed the MBR to hide windows and a login message telling a riddle to guess the root password.

      Something along the lines of:
      Who do I now need to pay $699 to?

    2. Re:that's cute by Anonymous Coward · · Score: 3, Funny

      Maybe that's how windows got on my machine.

    3. Re:that's cute by Anonymous Coward · · Score: 2, Funny

      Who do I now need to pay $699 to?

      Am I right?

    4. Re:that's cute by Fjord · · Score: 2, Funny

      Dude, Geico can save you 15% or more.

      --
      -no broken link
    5. Re:that's cute by blixel · · Score: 4, Funny

      Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux

      That wouldn't work too well. You would have to download the virus yourself, make sure the virus was compatible with your hardware, make sure you had all the necessary dependencies for the virus to run properly, then you would have to modify the virus source code to work with your particular setup, then go out on newsgroups seeking help when you can't get it to work, and in the end you would end up giving up, re-installing Windows, then posting an article on Slashdot about how Linux "isn't quite ready for the masses yet."

  2. Coolness.... by MadBiologist · · Score: 4, Funny

    The only thing better than a clean up worm... is a gummi worm!

    --
    'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
  3. This could go on for a while... by Mr.+Neutron · · Score: 5, Funny

    What happens when someone releases an anti-anti-Blaster-worm-worm-worm?

    --
    dinner: it's what's for beer
    1. Re:This could go on for a while... by sw155kn1f3 · · Score: 2, Funny

      yeah... i propose to call this new macrophage "SkyNet" ;-)

      --
      - Arwen, I'm your father, Agent Smith.
      - Well, you're just Smith, but my father is Aerosmith!
  4. So lets be proactive next time by slash-tard · · Score: 1, Funny

    Next time we have a vulnerability someone write a worm that automatically applies the MS patch.

  5. Helping lazy admins by FattMattP · · Score: 4, Funny

    Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.

    --
    Prevent email address forgery. Publish SPF records for y
  6. Where was this worm last week? by tinypillar · · Score: 5, Funny

    Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.

  7. I feel very comfortable ... by burgburgburg · · Score: 5, Funny

    turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.

  8. So how long until by mfago · · Score: 2, Funny

    someone makes a worm that downloads and installs a Linux distro?

  9. I hope they wrote this one correctly by Hal+The+Computer · · Score: 2, Funny

    But does this new worm try and download the update from www.windowsupdate.com?

    P.S. If you didn't know, Microsoft took down windowsupdate.com, the correct site name is windowsupdate.microsoft.com

    --

    int main(void){int x=01232;while(malloc(x));return x;}
  10. Predicted a long time ago, and very far away. by teamhasnoi · · Score: 4, Funny

    Begun, this worm war has.

  11. This is sweet. by Lester67 · · Score: 2, Funny

    Basically someone has given you a week to fix it yourself, or they fix it for you.

    This rocks.

  12. Obligatory Semi-Relevant Simpsons Quote by shik0me · · Score: 5, Funny

    Skinner: Well, I was wrong. The lizards are a godsend.
    Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
    Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
    Lisa: But aren't the snakes even worse?
    Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
    Lisa: But then we're stuck with gorillas!
    Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.

  13. Re:Wow, I called this last Thursday! by Tumbleweed · · Score: 2, Funny

    > The extent to which the Internet recapitulates evolution and biological systems is astounding!

    Yeah, now all we need is a type of cancer that attacks cancer cells and turns them back into normal cells.

    And one that turns people who don't patch their machines into people who DO patch their machines! Oh yeah, that'd be sweet...

  14. Re:Internet Robin Hood by ChrisDolan · · Score: 5, Funny

    If this worm is supposed to be Robin Hood, then picture Sherwood Forest overrun by about 30 million tights-clad archers running about, grabbing every person in sight, shaking them vigorously to see if they are rich, and cutting purses if jingling is detected.

    Let's just hope that jingle-detection algorithm is perfect, and the purse-cutting knife is sharp and true. Otherwise Sherwood is going to have a lot of pissed-off, penniless eunuchs.

    Vigilantism is a dangerous game. Innocent victims do get hurt. This worm is a very bad idea.

  15. it needs a EULA by Tumbleweed · · Score: 4, Funny

    "By running this infected program, you agree to abide by these terms & conditions..."

  16. COMING SOON by Multiple+Sanchez · · Score: 4, Funny

    - W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.

    - W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.

    - Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.

  17. Re:Speaking of which... by Munelight · · Score: 5, Funny

    Microsoft killed the windowsupdate.com domain.

    Did anyone else read this with the tune of "video killed the radio star" playing in their head?

  18. one possible author by erikdotla · · Score: 4, Funny

    I feel there's only one possible author of this antiworm: Microsoft.

    Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.

    Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!

    --
    # Erik
    1. Re:one possible author by DickBreath · · Score: 2, Funny

      whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!

      No, I disagree.

      I can assure you that there are Microsoft zealots who are every bit as zealous as open source people. Perhaps even more so. Even worse, they claim that they are "unbiased". I know at least one.

      Microsoft could probably get into trouble for this. It is very unlikely that this is anything that the corporation has officially done. It might have been a Microsoft employee.

      But as for those who would say that only Slasdot weenies are passionate about their OS, I have only this to say.....

      developers, developers, Developers, Developers, DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS!!!!!

      and...

      Woooo! Give it up for me! I have only four words to say: I, LOVE, THIS, COMPANY.

      --

      I'll see your senator, and I'll raise you two judges.
  19. strangely enough by Jucius+Maximus · · Score: 5, Funny
    I thought this 'reversal' was obvious fodder for SOVIET RUSSIA jokes, but now I can't think of a good one...

    IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)

  20. Re:So cool! by coolerthanmilk · · Score: 2, Funny

    The fact it opens port 707 sounds a bit worrying though.

    There's no need to worry. Obviously, the computer is just standing on its head and laughing with joy at being rid of its former parasitic habitant.

    707 -> LOL!

    The only way it could really laugh out loud would be to open a port through which it can laugh. It makes perfect sense. No, no need to worry here, just LOL some more.
  21. Re:Speaking of which... by dspeyer · · Score: 2, Funny
    Microsoft also switched their main website to a decentralized GNU/Linux cluster. This is why we can all still get through. Admittedly, they didn't choose GNU/Linux themselves, they choose Akamai, a professional webhosting service, and Akamai chose GNU/Linux. Even so, must be embarrising for them....

    GNU/Linux: for when it actually has to work!

    --

    Sig:Why copyright isn't a fundamental human right

  22. Home inspectors are responsible! by Danathar · · Score: 2, Funny

    I KNEW IT!!! I checked google and NACHI is (National Association of certified Home inspectors). Man. What a pro-active group! I wonder if NOT having this worm will lower my mortgage?

  23. Good grief! by Anonymous Coward · · Score: 2, Funny

    Why do slashdotters think they are so good at coming up with analogies? You see this in every single article. Someone creates a perfectly fine analogy and 8 people respond saying "actually, it would be more like your neighbor/daughter/lawn gnome..."

    Slashdotter : Good Analogy :: Rosie O'Donnell : Attractive

  24. Sounds like Windows Media Player by DrSkwid · · Score: 2, Funny

    It still runs code on a machine without the permission of the owner, and is therefore a virus.

    Or Gator.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  25. Re:Speaking of which... by Anonymous Coward · · Score: 1, Funny
    Did anyone else read this with the tune of "video killed the radio star" playing in their head?

    No, because we are all 12 years old!!!!
    ROFL

  26. Re:Worm from Microsoft? by kemikalzen · · Score: 2, Funny

    More likely, Microsoft wrote the original MSBlaster worm, after all the code was amateurish and had serious bugs

    --
    Bodø community site
  27. Computer, Heal Thyself.... by Hallowed · · Score: 2, Funny
    Why doesn't M$ release patches that do this??? Hmmmmmm.....

    --

    1. When the pin is pulled, Mr. Grenade is no longer your friend.

    2. Do not eat iPod shuffle.

  28. Terminator 4 - Rise of the worms by EqualSlash · · Score: 2, Funny
    Terminator(Nachi) has arrived to terminate the evil MSBlaster Worm.
    "Removal of W32/Lovsan.worm.a The worm also looks for and removes W32/Lovsan.worm.a from an infected system. It achieves this by targeting MSBLAST.EXE. (The process is terminated if running on the victim machine.)"
    Asta la vista baby !
    "Self removal:
    When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution."
    It Will be Back !