RPC DCOM Worm On The Loose

Follow Slashdot blog updates by subscribing to our blog RSS feed

RPC DCOM Worm On The Loose 604

Posted by simoniker on Monday August 11, 2003 @04:58PM from the uh-oh-spaghettios dept.

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

This discussion has been archived. No new comments can be posted.

RPC DCOM Worm On The Loose

Search 604 Comments Log In/Create an Account

Comments Filter:

Great (Score:5, Funny)

by mjmalone ( 677326 ) * writes: on Monday August 11, 2003 @04:58PM (#6669245) Homepage

The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

Share
twitter facebook
Re:Great (Score:5, Funny)

by rylin ( 688457 ) writes: on Monday August 11, 2003 @05:00PM (#6669271)

I have a copy! You can fetch from 212.192.128.76:4444 ;)

Parent Share
twitter facebook
I have already patched my entire network. (Score:4, Funny)

by Znonymous Coward ( 615009 ) writes: on Monday August 11, 2003 @05:01PM (#6669274) Journal

It's called a firewall. It's proteced me from Nimda, Code Red, etc.

Share
twitter facebook
Balmer (Score:2, Funny)

by Anonymous Coward writes: on Monday August 11, 2003 @05:01PM (#6669279)

Developers developers developers..

erm...

security security security... erm ...

um...

somebody get me more cocain!

Share
twitter facebook
New title suggestion for this story (Score:4, Funny)

by Kappelmeister ( 464986 ) writes: on Monday August 11, 2003 @05:02PM (#6669289)

Developers: RPC DCOM Worm On The Loose

Shouldn't that be:

Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose

Share
twitter facebook
Re:Great (Score:3, Funny)

by Frymaster ( 171343 ) writes: on Monday August 11, 2003 @05:03PM (#6669299) Homepage Journal

in case the above gets slashdotted, the code is:
An error occured while loading http://212.192.128.76:4444: Could not connect to host 212.192.128.76 (port 4444)

Parent Share
twitter facebook
I saw it happen LIVE! (Score:5, Funny)

by __aaklbk2114 ( 220755 ) writes: on Monday August 11, 2003 @05:05PM (#6669322)

I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

Here I am thinking that I just screwed up their machine with the new apps somehow.

Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)

Share
twitter facebook
Re:Great (Score:4, Funny)

by dieMSdie ( 24109 ) writes: on Monday August 11, 2003 @05:05PM (#6669324)

Sure!

Open all your ports and I'll see what I can do!

Parent Share
twitter facebook
go ME! (Score:5, Funny)

by StevenHallman76 ( 455545 ) writes: on Monday August 11, 2003 @05:06PM (#6669340)

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition

finally! all these years of running Win ME have paid off! so long suckers!

Share
twitter facebook
OMG (Score:5, Funny)

by stephenry ( 648792 ) writes: on Monday August 11, 2003 @05:07PM (#6669352)

OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!

Share
twitter facebook
Protection from the virus (Score:3, Funny)

by Anonymous Coward writes: on Monday August 11, 2003 @05:07PM (#6669354)

I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!

Share
twitter facebook
Re:I have already patched my entire network. (Score:5, Funny)

by Anonymous Coward writes: on Monday August 11, 2003 @05:08PM (#6669359)

It's called Linux. It's protected me from Nimda, Code Red, etc...

Parent Share
twitter facebook
Re:Effects (Score:3, Funny)

by PolyDwarf ( 156355 ) writes: on Monday August 11, 2003 @05:10PM (#6669386)

Diagnose their systems this very minute? Screw the systems, there's /. to read!!

Parent Share
twitter facebook
Re:I have already patched my entire network. (Score:5, Funny)

by bigjocker ( 113512 ) * writes: on Monday August 11, 2003 @05:14PM (#6669436) Homepage

I used this patch [mandrakelinux.com] instead in my whole network.

Parent Share
twitter facebook
Re:Balmer (Score:2, Funny)

by azzy ( 86427 ) writes: on Monday August 11, 2003 @05:15PM (#6669442) Journal

I think you need some e with that cocain

Parent Share
twitter facebook
Re:I have already patched my entire network. (Score:5, Funny)

by TheGreenLantern ( 537864 ) writes: <thegreenlntrn@yahoo.com> on Monday August 11, 2003 @05:16PM (#6669450) Homepage Journal

While I'm sure this is technically true, some of us are responsible for networks that are slightly more complicated than an XBox, an HP Pavilion downloading porn and bootlegs 24-7, and an old P2 running Suse in our parents basement.

Parent Share
twitter facebook
Re:Credit... (Score:3, Funny)

by Dom2 ( 838 ) writes: on Monday August 11, 2003 @05:16PM (#6669453) Homepage

Once again proving that they are doing little more than deriving from Unix:

There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson

From your local neighbourhood fortune cookie file.
-Dom

Parent Share
twitter facebook
I'm safe (Score:5, Funny)

by teamhasnoi ( 554944 ) * writes: <teamhasnoi@CURIE ... minus physicist> on Monday August 11, 2003 @05:16PM (#6669455) Journal

I've rolled a saving throw against remote infection and I have +3 Fireproof armor, however I am still vulnerable to hot wood elves.
You did say this was a RPG worm, right?

Share
twitter facebook
Re:go ME! (Score:5, Funny)

by Sneftel ( 15416 ) writes: on Monday August 11, 2003 @05:18PM (#6669473)

I'm afraid you stopped reading too soon. Here's the bit you missed:

Sucks big fat sweaty donkey balls:

* Microsoft Windows Millennium Edition

Parent Share
twitter facebook
WINE? (Score:2, Funny)

by Anonymous Coward writes: on Monday August 11, 2003 @05:19PM (#6669486)

Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.

Thanks.

Share
twitter facebook
Port Scan your computer/net (Score:2, Funny)

by k-hell ( 458178 ) writes: on Monday August 11, 2003 @05:33PM (#6669617)

I suggest you use GRC.com's excellent port scan feature if you got a Windows machine. It's called 'Shield's UP!' and is available here (scroll down a bit) [grc.com], and will scan your system's first 1052 ports.

Share
twitter facebook
Re:Credit... (Score:5, Funny)

by GnomeKing ( 564248 ) writes: on Monday August 11, 2003 @05:35PM (#6669642)

At least Microsoft was nice enough to credit LSD in the tech note.

Is that what they were taking when they wrote the code?

Parent Share
twitter facebook
Yawn.... (Score:3, Funny)

by dfn5 ( 524972 ) writes: on Monday August 11, 2003 @05:49PM (#6669764) Journal

They did this already last week on Stargate SG1 with that virus that spread from gate to gate and took down the whole network in 2+ hours. Can't these virus writers ever come up with something original?

Share
twitter facebook
Symantec (Score:2, Funny)

by Zilfondel2 ( 662431 ) writes: on Monday August 11, 2003 @06:13PM (#6670061)

We're currently got 112 windows Xp lusers in our queue looking at a 2 hour wait time to talk to us virus removal techs. "Sorry, no removal instructions, call tomorrow." hehe

Share
twitter facebook
Other changes needed (Score:1, Funny)

by accountant ( 451733 ) writes: on Monday August 11, 2003 @06:15PM (#6670083)

Is that the S word I see here?

http://www.microsoft.com/com/tech/DCOM.asp

Parent Share
twitter facebook
I got this one... (Score:1, Funny)

by UfoZ ( 680310 ) writes: on Monday August 11, 2003 @06:26PM (#6670185) Homepage

After manually updating my virus definitions and explicitly pointing NAV to the file, it still reckoned it's clean. Way to go, Norton. At least the MS patch seemed to work, although I've seen some people on IRC get repeatedly raped and always before they managed to download and install the patch. Sucks for them, I guess.

The worm, aptly named msblast.exe and happily sitting in my system32 folder, sending itsself to a bunch of random addresses (that happened to be in a reserved netblock and were timing out, go figure) was packed with UPX, after uncompressing and running strings on it here are some interesting finds:

msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Fun, hah? Way to go you bloody wanker, you made my day. I hope SAN (your right hand) loves you too.

Share
twitter facebook
Re:go ME! (Score:2, Funny)

by Mista LovaLova ( 684581 ) writes: on Monday August 11, 2003 @06:35PM (#6670265)

Noooooooooooo!!!!! Now Corporate Execs will want to migrate all of our machines backward to WinME. They will probably think its newer since no one's heard of it!

Parent Share
twitter facebook
Re:users being hit hard (Score:5, Funny)

by TheRealFixer ( 552803 ) writes: on Monday August 11, 2003 @06:54PM (#6670491)

Yeah, except the stolen car doesn't take off by itself in the middle of the night and start hitting every other car it sees.

Parent Share
twitter facebook
Re:On the way? (Score:3, Funny)

by caluml ( 551744 ) writes: <slashdot&spamgoeshere,calum,org> on Monday August 11, 2003 @07:00PM (#6670552) Homepage

I don't think this is a troll. It's a valid comment. The moderator that modded this troll is probably a Windows admin who's just realised that s/he's been infected.

Parent Share
twitter facebook
Liar, liar, pants never on fire (Score:2, Funny)

by Platinum Dragon ( 34829 ) writes: on Monday August 11, 2003 @08:42PM (#6671347) Journal

Nice try, but that bit about having a girlfriend was Just Too Obvious.

Parent Share
twitter facebook
It's heeeerrreeee... (Score:2, Funny)

by AndroidCat ( 229562 ) writes: on Monday August 11, 2003 @08:45PM (#6671369) Homepage

I wondered what all the cruft in the logs for port 135 over the last few hours was. There had been a low volume of port 135 hits over the couple of weeks, when usually there are almost none. I glanced at the logs while having a coffee, and immediately thought "Gee I wonder what MS exploit is loose this time?"
*sigh*

Parent Share
twitter facebook
I'm not sure about removing it.... (Score:5, Funny)

by TheBoostedBrain ( 622439 ) writes: on Monday August 11, 2003 @09:56PM (#6671766) Homepage Journal

Trend Micro says [trendmicro.com] that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...

Share
twitter facebook
Re:I have already patched my entire network. (Score:1, Funny)

by Anonymous Coward writes: on Tuesday August 12, 2003 @04:37AM (#6673392)

Good sir, I'm afraid you mistyped it as well. [openbsd.org]

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

RPC DCOM Worm On The Loose 604

RPC DCOM Worm On The Loose More Login

RPC DCOM Worm On The Loose

Great (Score:5, Funny)

Re:Great (Score:5, Funny)

I have already patched my entire network. (Score:4, Funny)

Balmer (Score:2, Funny)

New title suggestion for this story (Score:4, Funny)

Re:Great (Score:3, Funny)

I saw it happen LIVE! (Score:5, Funny)

Re:Great (Score:4, Funny)

go ME! (Score:5, Funny)

OMG (Score:5, Funny)

Protection from the virus (Score:3, Funny)

Re:I have already patched my entire network. (Score:5, Funny)

Re:Effects (Score:3, Funny)

Re:I have already patched my entire network. (Score:5, Funny)

Re:Balmer (Score:2, Funny)

Re:I have already patched my entire network. (Score:5, Funny)

Re:Credit... (Score:3, Funny)

I'm safe (Score:5, Funny)

Re:go ME! (Score:5, Funny)

WINE? (Score:2, Funny)

Port Scan your computer/net (Score:2, Funny)

Re:Credit... (Score:5, Funny)

Yawn.... (Score:3, Funny)

Symantec (Score:2, Funny)

Other changes needed (Score:1, Funny)

I got this one... (Score:1, Funny)

Re:go ME! (Score:2, Funny)

Re:users being hit hard (Score:5, Funny)

Re:On the way? (Score:3, Funny)

Liar, liar, pants never on fire (Score:2, Funny)

It's heeeerrreeee... (Score:2, Funny)

I'm not sure about removing it.... (Score:5, Funny)

Re:I have already patched my entire network. (Score:1, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot