RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux
The only thing better than a clean up worm... is a gummi worm!
'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
What happens when someone releases an anti-anti-Blaster-worm-worm-worm?
dinner: it's what's for beer
Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.
Prevent email address forgery. Publish SPF records for y
Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.
turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.
Begun, this worm war has.
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
If this worm is supposed to be Robin Hood, then picture Sherwood Forest overrun by about 30 million tights-clad archers running about, grabbing every person in sight, shaking them vigorously to see if they are rich, and cutting purses if jingling is detected.
Let's just hope that jingle-detection algorithm is perfect, and the purse-cutting knife is sharp and true. Otherwise Sherwood is going to have a lot of pissed-off, penniless eunuchs.
Vigilantism is a dangerous game. Innocent victims do get hurt. This worm is a very bad idea.
"By running this infected program, you agree to abide by these terms & conditions..."
- W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.
- W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.
- Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.
Microsoft killed the windowsupdate.com domain.
Did anyone else read this with the tune of "video killed the radio star" playing in their head?
I feel there's only one possible author of this antiworm: Microsoft.
Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.
Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!
# Erik
IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)