Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Cleanup Worm Appears

Posted by simoniker on from the someone-with-twisted-sense-of-humor dept.

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

17 of 758 comments (clear)

  1. Re:They will never allow this to grow by stratjakt · · Score: 2, Informative

    Except that these "white" worms still eat up a shitload of bandwidth, and businesses and people still have to eat those costs.

    I remember way back in my hometown the cops got the brilliant idea to go through the parking lot trying to open car doors. When they'd find an unlocked car, they'd leave a little pamphlet on the drivers seat about why you should lock your doors.

    People were pissed, and rightly so. It doesnt matter if it's locked or not, noone has any right to open it up and go inside without your permission.

    Its not important what the worms payload is. The writers of this should suffer the same punishment if caught as the writers of a DDoS worm.

    --
    I don't need no instructions to know how to rock!!!!
  2. Re:Speaking of which... by jmanning · · Score: 5, Informative

    This article might answer your question.
    Basically, No. Nothing happened.

  3. Re:Speaking of which... by Flabby+Boohoo · · Score: 4, Informative

    No, Microsoft killed the windowsupdate.com domain.

  4. Re:So cool! by KingDaveRa · · Score: 4, Informative

    Very true.

    But, notice that this worm self un-installs at a certain date. Its quite a way away, but even so. The fact it opens port 707 sounds a bit worrying though.

  5. I hope that this second virus never hit my client, by BlueYoshi · · Score: 2, Informative

    2 weeks ago, I receve a call from one of my customer telling me that he have done nothing but our application was no more working: he got a message server is unavailable or smthg like that.

    You know when customer says:I did nothing, he lies not allways by intention but he lies. In fact , by asking some question, he told me that they just used Microsoft Auto upadte.

    Now the point: HotFix 823980 fix well the problem of RPC overflow but cause an impossibility to access a COM+ object that we need (In fact our server is a com+ object). So if you fix the bug our software dont run if you don't...

    Are we the only company that got this problem? Are we the only using a COM+ object server instantiate on client?

    --
    "Use cases are fairy tales..." I. S. 2005
  6. This happened to Linux first by DotWarner · · Score: 3, Informative

    The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.

  7. Re:Pretty cool by Otter · · Score: 2, Informative
    Except that vaccines aren't contagious

    Nitpick: there are contagious vaccines, including the Sabin polio vaccine. That's a large part of why it's preferred to the old Salk vaccine, despite a higher rate of side effects, because 100% vaccination isn't necessary to give 100% coverage. (Also, oral vaccines are easier to administer and more likely to be accepted than are injected vaccines.)

    --
    What I'm listening to now on Pandora...
  8. Re:Scanning my users by Anonymous Coward · · Score: 1, Informative

    He's probably using this.

  9. Re:I hope that this second virus never hit my clie by setik · · Score: 2, Informative

    Discreet, makers of 3dsmax, was also affected in a major way by this hot"fix" more info can be found here
    Discreet Info
    Its really a bummer for all those people who stay up to date to find that the .max files they have been making, crash older un-patched windows, I myself spent a day figuring this one out, and getting everyone in my company up to speed.

  10. Re:Scanning my users by cptgrudge · · Score: 5, Informative
    If I would make a guess, it's most likely this. Pretty slick; it allows you to scan IP subnets.

    For those Windows sysadmins that don't know, you can use SUS (free from Microsoft) on a local server to distribute updates via Automatic Updates. The clients need to be configured, through Group Policy (or manually, if you wish), to use your server instead of Micosoft's, but it can scale quite easily to enterprise level.

    It needs IIS to run, but it runs the IIS Lockdown Tool at the same time.

    --
    Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  11. Re:If only I had the knowhow... by Anonymous Coward · · Score: 1, Informative

    It has been discussed before here on Slashdot - notably through the Code Red period. In the end, there was a lot of opposition against the vigilante justice style. It's also still illegal. I have to admit that I find the 'good' worms humorous, but I was sufficiently swayed by the anti-vigilante argument.

  12. They did by Overly+Critical+Guy · · Score: 2, Informative

    Governments need to sit up and take notice, this is serious stuff.

    The government warned people TWICE to install the patch last month.

    --
    "Sufferin' succotash."
  13. Re:So cool! by neomorph · · Score: 2, Informative

    Actually, there is. Dermatologists routinely prescribe oil-free diets as part of a program to reduce acne.

    I, too, thought it was a lot of baloney. But I went on a diet to lose some weight, and a nice side effect was that my complexion cleared up.

  14. Re:So cool! by Anonymous Coward · · Score: 1, Informative

    You'd be amazed. A friend of mine would always click 'no' to the windows update notices because someone had convinced her that that was how spyware got in. Oy.

  15. Re:that's cute by Romeozulu · · Score: 3, Informative

    >>Seems to me it's been years since anyone could get even close to root access by hacking Linux.

    About a year ago I installed RedHat 7.2. It was my first Linux install and after getting it up and running, I spent about an hour playing around with it before downloading all the patches (there were *a lot*). In that short time, a venerability in wu-ftp was exploited and my machine compromised.

    Call my stupid (and I'm sure you will), but for a "boxed, off the shelve" consumer product, that doesn't sound too secure to me. There might not be a lot of holes in the kernal, but there are quite a few in all the tools that ship with it.

    Granted, any expert would not have been caught by this, but if the goal is Linux in the home, this can't happen anymore that it can in Windows.

    Ron

  16. Re:Coolness.... by NullAndVoid · · Score: 2, Informative

    Yeah, I'm really fucking enjoying being up all night trying to stop this wonderful worm from hosing the network so my company isn't shut down tomorrow. Whatever samaratan wrote it can go fuck himself.

    --


    -- Sigs are for losers
  17. Re:This could go on for a while... by ndogg · · Score: 2, Informative
    When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

    RTFA has never been more relevant.
    --
    // file: mice.h
    #include "frickin_lasers.h"