RPC DCOM Worm Hits the Net

RPC DCOM Worm Hits the Net
Kevin Poulsen, SecurityFocus 2003-08-11

A malicious worm that exploits last month's RPC DCOM vulnerability struck the Internet Monday afternoon, targeting unpatched Windows 2000 and Windows XP machines.

Expand all | Post comment

RPC DCOM Worm Hits the Net 2003-08-11
Manu (4 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (3 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Christopher Canova (2 replies)

RPC DCOM Worm Hits the Net 2003-08-13
Tim Watkins (1 replies)

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous

RPC DCOM Worm Hits the Net 2003-08-13
BroadBand Man

RPC DCOM Worm Hits the Net 2003-08-12
Jean Debogue (1 replies)

You were warned and chose not to act. 2003-08-13
You_people_are_KILLING_me

RPC DCOM Worm Hits the Net 2003-08-13
bogaboga

RPC DCOM Worm Hits the Net 2003-08-12
Tasawar Jalali

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous

RPC DCOM Worm Hits the Net 2003-08-13
gpnuke

RPC DCOM Worm Hits the Net 2003-08-11
Conrad Longmore

msblast.exe available 2003-08-11
Chris McNab

RPC DCOM Worm Hits the Net 2003-08-12
moonface (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>

RPC DCOM Worm Hits the Net 2003-08-12
Nrik (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]> (1 replies)

RPC DCOM Worm Hits the Net 2003-08-13
Nrik

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
KGB (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Vegomatic

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
mike (at) thompsonmike.co (dot) uk [email concealed]

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (8 replies)

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (7 replies)

who is what? 2003-08-12
Anonymous

Took down our NT Network (500 Plus users) 2003-08-12
SynDr0m (3 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Mikeonline

Took down our NT Network (500 Plus users) 2003-08-14
Anonymous

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (3 replies)

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Anonymous

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-14
Anonymous

Reading sec forums 2003-08-13
Anonymous (1 replies)

Reading sec forums 2003-08-15
Jagdwulfe

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (2 replies)

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous

Took down our NT Network (500 Plus users) 2003-08-13
A clueful IT guy in Canada

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-12
Anonymous (6 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-12
Big Guys (2 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-12
Anonymous (1 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-13
Anonymous (1 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-14
Anonymous

Windows Update is FREAKING AUTOMATIC! 2003-08-13
Anonymous

...on a frigging server? Are you NUTS!? 2003-08-12
Penguinisto (1 replies)

...on a frigging server? Are you NUTS!? 2003-08-13
Fortune_50_IT_Manager

Windows Update is FREAKING AUTOMATIC! 2003-08-12
AnotherAnonymous

Windows Update is FREAKING AUTOMATIC! 2003-08-13
Anonymous

Windows Update is FREAKING AUTOMATIC! 2003-08-13
HardKnox (1 replies)

Windows Update is FREAKING AUTOMATIC! 2003-08-14
Anonymous

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Anonymous

Took down our NT Network (500 Plus users) 2003-08-14
Anonymous

to little to late 2003-08-12
Anonymous (2 replies)

to little to late 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>

500 users went home early, yet we paid them. MS SUCKS! 2003-08-12
Anonymous (1 replies)

500 users went home early, yet we paid them. MS SUCKS! 2003-08-13
Anonymous

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (2 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Anonymous

Huh?! 2003-08-12
BLKMGK (1 replies)

Huh?! 2003-08-13
vapour

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-13
whatever

Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)

Took down our NT Network (500 Plus users) 2003-08-13
Anonymous

Why did you have port 135 open 2003-08-13
Anonymous (1 replies)

Why did you have port 135 open 2003-08-14
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
Federico Lucifredi (2 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Cipherz (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
RpR

need to follow removal directions to a 't' 2003-08-12
g00s (1 replies)

need to follow removal directions to a 't' 2003-08-13
Sunfire070

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
Wichita_KS_NETOPS (2 replies)

RPC DCOM Worm Hits the Net 2003-08-12
obyteme

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
Chris S (1 replies)

Single IP? 2003-08-12
BLKMGK

RPC DCOM Worm cleanup details 2003-08-12
Barry Irwin <bvi (at) moria (dot) org [email concealed]>

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
Sunfire070

What is the UPX file name transferred via TFTP ? 2003-08-12
Ziv

RPC DCOM Worm Hits the Net 2003-08-12
Ziv

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

I patched 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
kl3675

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
HardKnox

RPC DCOM Worm Hits the Net 2003-08-12
apsu_of_freshwater

RPC DCOM Worm Hits the Net 2003-08-12
Jeff Serino (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Federico Lucifredi (1 replies)

RPC DCOM Worm Hits the Net 2003-08-13
HardKnox

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

Anyone identified initial infection vector? 2003-08-12
Anonymous (1 replies)

Anyone identified initial infection vector? 2003-08-12
Chris S (2 replies)

That should be obvious to all these "IT" guys. 2003-08-13
You_people_are_KILLING_me (1 replies)

That should be obvious to all these "IT" guys. 2003-08-14
Anonymous

portable users 2003-08-14
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

Mixed Results (Utah) 2003-08-12
Penguinisto

Open letter to Bill Gates........ 2003-08-12
Anonymous (1 replies)

Open letter to Bill Gates........ 2003-08-12
Anonymous (3 replies)

Open letter to Bill Gates........ 2003-08-12
Anonymous

Open letter to Bill Gates........ 2003-08-12
Anonymous (2 replies)

Open letter to Bill Gates........ 2003-08-13
Fortune_50_IT_Manager

Managing Your Security Profile 2003-08-13
Anonymous

Open letter to Bill Gates........ 2003-08-13
Anonymous

RPC DCOM Worm Hits the Net 2003-08-12
AnonymousAdmin (1 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (2 replies)

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (1 replies)

RPC DCOM Worm Hits the Net 2003-08-13
A clueful IT guy in Canada (2 replies)

RPC DCOM Worm Hits the Net 2003-08-13
Fortune_50_IT_Manager

RPC DCOM Worm Hits the Net 2003-08-13
apsu_of_freshwater

RPC DCOM Worm Hits the Net 2003-08-13
AnonymousAdmin (1 replies)

What if the ratios were reversed? 2003-08-14
Fortune_50_IT_Manager

RPC DCOM Worm Hits the Net 2003-08-12
Anonymous

RPC DCOM Worm 2003-08-12
B

RPC DCOM Worm Hits the Net - RPC in final stages of installation 2003-08-13
Sunfire070

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous (1 replies)

RPC DCOM Worm Hits the Net 2003-08-13
AnonymousAdmin

RPC DCOM Worm Hits the Net 2003-08-13
Scott Moreau <smoreau (at) secureadmin (dot) ca [email concealed]>

A what? 2003-08-13
Anonymous

National Security 2003-08-13
Duke Nukem

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous

SVCHOST.EXE "crash" 2003-08-13
Anonymous

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous

New Dell XP laptop was not installed with patch! 2003-08-13
Anti-Dell customer (1 replies)

New Dell XP laptop was not installed with patch! 2003-08-15
Some people, really!

RPC DCOM Worm Hits the Net 2003-08-13
Anonymous

RPC DCOM Worm Hits the Net 2003-08-14
ButtCovered

Hi

does anyone know how the Denial of service component works. ie does it grab the ip address from DNS and then blast away on port 80 or what ? (This is the MSBlast worm Im talking about)

Id like to try and protect the internal network as much as poss, where infected to hell becuase the admins havent patched and I want to mitigate the damage it could do to the internal network.

Only solution I can think of is to poison our DNS entries and point all quries to update.com to the loopback - should protect the internal site links, but means no one will get to the update site until we reenable it.

yours sincerely

Beleagured network guy

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6689/21422#21422

RPC DCOM Worm Hits the Net 2003-08-14
Anonymous

RPC DCOM Worm - treat it as a vaccin 2003-08-14
ultravioletu

RPC DCOM Worm Hits the Net - but without any executeable 2003-08-14
Anonymous (Lost user) that needs opinion (1 replies)

RPC DCOM Worm Hits the Net - but without any executeable 2003-08-14
Anonymous

BIG Providers Decided to Turn Off Ports 2003-08-14
Scott Moulton

Through a firewall?? 2003-08-14
KyleTek

Anti-virus prevention is not segregated to patches 2003-08-15
Canada (1 replies)

Anti-virus prevention is not segregated to patches 2003-08-15
Anonymous