Digg this story   Add to del.icio.us  
RPC DCOM Worm Hits the Net
Kevin Poulsen, SecurityFocus 2003-08-11

A malicious worm that exploits last month's RPC DCOM vulnerability struck the Internet Monday afternoon, targeting unpatched Windows 2000 and Windows XP machines.

The worm, dubbed "Blaster" and "LovSan" by security and anti-virus companies, attacks vulnerable machines over TCP port 135, then spawns a shell and initiates a TFTP file transfer to retrieve the worm's code.

The worm apparently has no malicious payload, but is reportedly crashing some PCs as it attempts to infect them. Additionally, according to an analysis from Symantec's DeepSight Threat Management System, the malware is programmed to launch a denial of service attack against Microsoft's windowsupdate.com site on August 16th. [Symantec publishes SecurityFocus.]

The SANS Institute's Internet Storm Center describes the worm as an 11,000 byte executable named msblast.exe. It arrives UPX-compressed to about 6,000 bytes, then unpacks itself and begins scanning IP addresses sequentially for vulnerable machines.

A comment hidden in the code reads, "billy gates why do you make this possible ? Stop making money and fix your software!!," according to SANS and Symantec.

A worm has been generally expected by the security community since Microsoft announced a critical hole in RPC and released a patch on July 16th. Public and private exploit programs have already lead to mass compromising of PCs at universities like U.C. Berkeley and Stanford, and, reportedly, some sizable corporations. Some ISPs have already blocked port 135 and the other vulnerable ports.

    Digg this story   Add to del.icio.us  
Comments Mode:
RPC DCOM Worm Hits the Net 2003-08-11
Manu (4 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (3 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Christopher Canova (2 replies)
RPC DCOM Worm Hits the Net 2003-08-13
Tim Watkins (1 replies)
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-13
BroadBand Man
RPC DCOM Worm Hits the Net 2003-08-12
Jean Debogue (1 replies)
You were warned and chose not to act. 2003-08-13
You_people_are_KILLING_me
RPC DCOM Worm Hits the Net 2003-08-13
bogaboga
RPC DCOM Worm Hits the Net 2003-08-12
Tasawar Jalali
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-13
gpnuke
RPC DCOM Worm Hits the Net 2003-08-11
Conrad Longmore
msblast.exe available 2003-08-11
Chris McNab
RPC DCOM Worm Hits the Net 2003-08-12
moonface (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>
RPC DCOM Worm Hits the Net 2003-08-12
Nrik (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]> (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
KGB (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Vegomatic
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
mike (at) thompsonmike.co (dot) uk [email concealed]
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (8 replies)
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (7 replies)
who is what? 2003-08-12
Anonymous
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (3 replies)
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
Reading sec forums 2003-08-13
Anonymous (1 replies)
Reading sec forums 2003-08-15
Jagdwulfe
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (2 replies)
Took down our NT Network (500 Plus users) 2003-08-13
A clueful IT guy in Canada
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
Windows Update is FREAKING AUTOMATIC! 2003-08-12
Anonymous (6 replies)
Windows Update is FREAKING AUTOMATIC! 2003-08-12
Big Guys (2 replies)
Windows Update is FREAKING AUTOMATIC! 2003-08-12
Anonymous (1 replies)
Windows Update is FREAKING AUTOMATIC! 2003-08-13
Anonymous (1 replies)
...on a frigging server? Are you NUTS!? 2003-08-12
Penguinisto (1 replies)
...on a frigging server? Are you NUTS!? 2003-08-13
Fortune_50_IT_Manager
Windows Update is FREAKING AUTOMATIC! 2003-08-12
AnotherAnonymous
Windows Update is FREAKING AUTOMATIC! 2003-08-13
HardKnox (1 replies)
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
to little to late 2003-08-12
Anonymous (2 replies)
to little to late 2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (2 replies)
Took down our NT Network (500 Plus users) 2003-08-13
Anonymous (1 replies)
Huh?! 2003-08-12
BLKMGK (1 replies)
Huh?! 2003-08-13
vapour
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
Took down our NT Network (500 Plus users) 2003-08-12
Anonymous (1 replies)
Why did you have port 135 open 2003-08-13
Anonymous (1 replies)
Why did you have port 135 open 2003-08-14
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Federico Lucifredi (2 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Cipherz (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Wichita_KS_NETOPS (2 replies)
RPC DCOM Worm Hits the Net 2003-08-12
obyteme
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Chris S (1 replies)
Single IP? 2003-08-12
BLKMGK
RPC DCOM Worm cleanup details 2003-08-12
Barry Irwin <bvi (at) moria (dot) org [email concealed]>
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Sunfire070
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
I patched 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
kl3675
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
HardKnox
RPC DCOM Worm Hits the Net 2003-08-12
apsu_of_freshwater
RPC DCOM Worm Hits the Net 2003-08-12
Jeff Serino (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Federico Lucifredi (1 replies)
RPC DCOM Worm Hits the Net 2003-08-13
HardKnox
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
Anyone identified initial infection vector? 2003-08-12
Anonymous (1 replies)
Anyone identified initial infection vector? 2003-08-12
Anonymous (1 replies)
Anyone identified initial infection vector? 2003-08-12
Chris S (2 replies)
That should be obvious to all these "IT" guys. 2003-08-13
You_people_are_KILLING_me (1 replies)
portable users 2003-08-14
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
Mixed Results (Utah) 2003-08-12
Penguinisto
Open letter to Bill Gates........ 2003-08-12
Anonymous (1 replies)
Open letter to Bill Gates........ 2003-08-12
Anonymous (1 replies)
Open letter to Bill Gates........ 2003-08-12
Anonymous (3 replies)
Open letter to Bill Gates........ 2003-08-12
Anonymous
Open letter to Bill Gates........ 2003-08-12
Anonymous (2 replies)
Open letter to Bill Gates........ 2003-08-13
Fortune_50_IT_Manager
Managing Your Security Profile 2003-08-13
Anonymous
Open letter to Bill Gates........ 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-12
AnonymousAdmin (1 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (2 replies)
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous (1 replies)
RPC DCOM Worm Hits the Net 2003-08-13
A clueful IT guy in Canada (2 replies)
RPC DCOM Worm Hits the Net 2003-08-13
Fortune_50_IT_Manager
RPC DCOM Worm Hits the Net 2003-08-13
apsu_of_freshwater
RPC DCOM Worm Hits the Net 2003-08-13
AnonymousAdmin (1 replies)
What if the ratios were reversed? 2003-08-14
Fortune_50_IT_Manager
RPC DCOM Worm Hits the Net 2003-08-12
Anonymous
RPC DCOM Worm 2003-08-12
B
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous (1 replies)
RPC DCOM Worm Hits the Net 2003-08-13
AnonymousAdmin
RPC DCOM Worm Hits the Net 2003-08-13
Scott Moreau <smoreau (at) secureadmin (dot) ca [email concealed]>
A what? 2003-08-13
Anonymous
National Security 2003-08-13
Duke Nukem
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
SVCHOST.EXE "crash" 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
New Dell XP laptop was not installed with patch! 2003-08-13
Anti-Dell customer (1 replies)
New Dell XP laptop was not installed with patch! 2003-08-15
Some people, really!
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-13
Anonymous
RPC DCOM Worm Hits the Net 2003-08-14
ButtCovered
RPC DCOM Worm Hits the Net 2003-08-14
Anonymous
RPC DCOM Worm - treat it as a vaccin 2003-08-14
ultravioletu
RPC DCOM Worm Hits the Net - but without any executeable 2003-08-14
Anonymous (Lost user) that needs opinion (1 replies)
BIG Providers Decided to Turn Off Ports 2003-08-14
Scott Moulton
Through a firewall?? 2003-08-14
KyleTek


 

Privacy Statement
Copyright 2010, SecurityFocus