[Snort-sigs] CYBERKIT [Full-Disclosure] [UPDATE] ping floods

Steve Postma spostma at ...723...
Mon Aug 18 10:47:04 EDT 2003


-----Original Message-----
From: benjurry [mailto:benjurry at ...1787...] 
Sent: Monday, August 18, 2003 1:09 PM
To: Sam Pointer; full-disclosure at ...1788...
Subject: Re: [Full-Disclosure] [UPDATE] ping floods

This worn written by VC++6.0 and compressed by UPX. Its size is 10240 bytes.
The worm's aim is to remove the msblast anf patch the system,which infects
by RPC DCOM and WebDEV.
When it go into the system ,it copy %systemroot%\system32\dllcache\tftpd.exe
to %systemroot%\system32\wins\svchost.exe ,then create the service named
RPCTftpd ,and its Display is ""Network Connections Sharing".
And then It copy himself to %systemroot%\system32\wins\dllhost.exe ,then
create the service named RpcPath .
3rd,the worm will check the process "msblast" and remove it ,then download
the patch form the M$ according diffrent language version,and patch system
with parameter "-n -o -z -q".
Then it scan the subnet with ICMP filled with ,whose type is "echo" and size
is 92 bytes ,so there are large volumes of ICMP traffic in network .when the
worm find a host ,it will try to infect with RPC DCOM and Webdev, If sucess
it will listen a TCP port less than 1000 to send the file.If the year is
2004,then it will remove itself.So the easiest way to remove is adjust your
time.

It seems it is a "good " worm to clean msblast:)


benjurry

----- Original Message ----- 
From: "Sam Pointer" <sam.pointer at ...1789...>
To: "'Abraham, Antony (Cognizant)'" <Antony at ...1790...>;
<B3r3n at ...1791...>; <full-disclosure at ...1788...>
Sent: Tuesday, August 19, 2003 12:15 AM
Subject: RE: [Full-Disclosure] [UPDATE] ping floods


> Antony Abraham wrote:
> >
> >http://vil.nai.com/vil/content/v_100559.htm 
> >
> >New RPC worm which will generate lot of ICMP traffic.
> 
> Well I guess it would appear from this portion of NAI's analysis that
> someone was listening to the thread on this list about writing an
> anti-blaster worm:
> 
> "The worm carries links to various patches for the MS03-026 vulnerability:
> ...
> The worm attempts to download and install one of these patches on the
victim
> machine."
> 
> 
> This email and any attachments are strictly confidential and are intended
> solely for the addressee. If you are not the intended recipient you must
> not disclose, forward, copy or take any action in reliance on this message
> or its attachments. If you have received this email in error please notify
> the sender as soon as possible and delete it from your computer systems.
> Any views or opinions presented are solely those of the author and do not
> necessarily reflect those of HPD Software Limited or its affiliates.
> 
>  At present the integrity of email across the internet cannot be
guaranteed
> and messages sent via this medium are potentially at risk.  All liability
> is excluded to the extent permitted by law for any claims arising as a re-
> sult of the use of this medium to transmit information by or to 
> HPD Software Limited or its affiliates.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




More information about the Snort-sigs mailing list