Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Cleanup Worm Appears

Posted by simoniker on Monday August 18, 2003 @05:32AM from the someone-with-twisted-sense-of-humor dept.

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

4 of 758 comments (clear)

Min score:

Reason:

Sort:

Re:Speaking of which... by jmanning · 2003-08-18 05:43 · Score: 5, Informative

This article might answer your question.
Basically, No. Nothing happened.
Re:Speaking of which... by Flabby+Boohoo · 2003-08-18 05:44 · Score: 4, Informative

No, Microsoft killed the windowsupdate.com domain.
Re:So cool! by KingDaveRa · 2003-08-18 05:44 · Score: 4, Informative

Very true.

But, notice that this worm self un-installs at a certain date. Its quite a way away, but even so. The fact it opens port 707 sounds a bit worrying though.
Re:Scanning my users by cptgrudge · 2003-08-18 06:40 · Score: 5, Informative

If I would make a guess, it's most likely this. Pretty slick; it allows you to scan IP subnets.
For those Windows sysadmins that don't know, you can use SUS (free from Microsoft) on a local server to distribute updates via Automatic Updates. The clients need to be configured, through Group Policy (or manually, if you wish), to use your server instead of Micosoft's, but it can scale quite easily to enterprise level.
It needs IIS to run, but it runs the IIS Lockdown Tool at the same time.

--
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium