(posted here since it was rejected when i attempted to post it to the mailing list)

Please.

I am still a conspiracy theorist on this one, I think Microsoft released this worm to the wild.

Take a hard look at it. This exploit gave *full admin access* to *any* NT4, W2K, or XP machine connected to the internet without a decent firewall. You could delete user accounts, rename user accounts, delete files, you name it
- you could do it with this exploit.

Imagine what would happen if a worm was released that used a RNG to change the administrator account name and password on 500,000 windows machines.

Imagine what would happen if a worm was released that deleted *.doc, *.xls, *.mdb, and *.txt from every location imaginable. Or hell, how about %systemroot%\*.*?

This exploit could have been a disaster to Microsoft, and they knew it...so they fixed it.

How do you cover up such a thing? Why, attack yourself! Yes! We'll make a time-delayed DDoS on "windowsupdate.com", it will get a few days of strong publicity, and all we'll have to do is remove a DNS record!

Either MS released this, or a 12 year old did. Someone who was serious about this would have done more than a crappy attempt at a DDoS on windowsupdate.com. Yes, they broke the RPC service on XP boxes...but since that wasn't intentional, it doesn't count. I'm still curious why the RPC service is set to reboot the computer on failure instead of just restarting the service. But hey, whatever.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/199/23839#23839