Slashdot Mirror


RPC DCOM Cleanup Worm Appears

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

16 of 758 comments (clear)

  1. that's cute by Anonymous Coward · · Score: 5, Funny

    Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux

    1. Re:that's cute by krisp · · Score: 4, Funny

      I'd settle for a worm that downloaded a kernel and loadlin.exe. The kernel would boot an included ramdisk image that changed the MBR to hide windows and a login message telling a riddle to guess the root password.

      Something along the lines of:
      Who do I now need to pay $699 to?

    2. Re:that's cute by blixel · · Score: 4, Funny

      Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux

      That wouldn't work too well. You would have to download the virus yourself, make sure the virus was compatible with your hardware, make sure you had all the necessary dependencies for the virus to run properly, then you would have to modify the virus source code to work with your particular setup, then go out on newsgroups seeking help when you can't get it to work, and in the end you would end up giving up, re-installing Windows, then posting an article on Slashdot about how Linux "isn't quite ready for the masses yet."

  2. Coolness.... by MadBiologist · · Score: 4, Funny

    The only thing better than a clean up worm... is a gummi worm!

    --
    'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
  3. This could go on for a while... by Mr.+Neutron · · Score: 5, Funny

    What happens when someone releases an anti-anti-Blaster-worm-worm-worm?

    --
    dinner: it's what's for beer
  4. Helping lazy admins by FattMattP · · Score: 4, Funny

    Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.

    --
    Prevent email address forgery. Publish SPF records for y
  5. Where was this worm last week? by tinypillar · · Score: 5, Funny

    Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.

  6. I feel very comfortable ... by burgburgburg · · Score: 5, Funny

    turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.

  7. Predicted a long time ago, and very far away. by teamhasnoi · · Score: 4, Funny

    Begun, this worm war has.

  8. Obligatory Semi-Relevant Simpsons Quote by shik0me · · Score: 5, Funny

    Skinner: Well, I was wrong. The lizards are a godsend.
    Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
    Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
    Lisa: But aren't the snakes even worse?
    Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
    Lisa: But then we're stuck with gorillas!
    Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.

  9. Re:Internet Robin Hood by ChrisDolan · · Score: 5, Funny

    If this worm is supposed to be Robin Hood, then picture Sherwood Forest overrun by about 30 million tights-clad archers running about, grabbing every person in sight, shaking them vigorously to see if they are rich, and cutting purses if jingling is detected.

    Let's just hope that jingle-detection algorithm is perfect, and the purse-cutting knife is sharp and true. Otherwise Sherwood is going to have a lot of pissed-off, penniless eunuchs.

    Vigilantism is a dangerous game. Innocent victims do get hurt. This worm is a very bad idea.

  10. it needs a EULA by Tumbleweed · · Score: 4, Funny

    "By running this infected program, you agree to abide by these terms & conditions..."

  11. COMING SOON by Multiple+Sanchez · · Score: 4, Funny

    - W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.

    - W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.

    - Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.

  12. Re:Speaking of which... by Munelight · · Score: 5, Funny

    Microsoft killed the windowsupdate.com domain.

    Did anyone else read this with the tune of "video killed the radio star" playing in their head?

  13. one possible author by erikdotla · · Score: 4, Funny

    I feel there's only one possible author of this antiworm: Microsoft.

    Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.

    Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!

    --
    # Erik
  14. strangely enough by Jucius+Maximus · · Score: 5, Funny
    I thought this 'reversal' was obvious fodder for SOVIET RUSSIA jokes, but now I can't think of a good one...

    IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)