For those who have not read /. Yet http://isc.sans.org/diary.html?date=2003-08-11

For those who cant read the link Here is a cut and paste

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At

When I heard about this virus yesterday morning, I was thinking... Couldn't you forward the tftp server ip addresses to a server on your network (for a big ISP) and replace the file that the virus is trying to download with a fix to it, thus patching the user instead of effecting them? Barry ----- Original Message ----- From: "Kevin Stewart" To: Sent: Tuesday, August 12, 2003 9:26 AM Subject: [nznog] RPC DCOM Worm On The Loose this point, it is spreading rapidly.

********** NOTE: PRELIMINARY. Do not base your incidents response solely on this

writeup. **********

Increase in port 135 activity:

http://isc.sans.org/images/port135percent.png

Latest update: The worm may launch a syn flood against windowsupdate.com

on the 16th. (unconfirmed)

The worm uses the RPC DCOM vulnerability to propagate. One it finds a

use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a

- uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot

Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

Strings of interest:

msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Existing RPC DCOM snort signatures will detect this worm. The worm is

vulnerable system, it will spawn a shell on port 4444 and presumably random IP address based on dcom.c

known tftp servers for this worm:

204.210.57.87 217.211.179.193 24.147.64.171 24.147.64.205 24.147.64.208 24.147.65.146 24.147.65.45 24.147.65.9 61.254.65.159 67.119.36.219 68.112.65.38 68.166.102.136 68.166.107.21 68.166.111.175 68.166.120.34 68.166.121.135 68.166.123.4 68.166.124.186 68.166.124.93 68.166.139.155 68.166.139.210 68.166.141.66 68.166.142.194 68.166.142.215 68.166.36.178 68.166.56.123 68.166.60.51 68.166.98.3

_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On Wed, 2003-08-13 at 19:07, Barry Murphy wrote:

When I heard about this virus yesterday morning, I was thinking...

Couldn't you forward the tftp server ip addresses to a server on your network (for a big ISP) and replace the file that the virus is trying to download with a fix to it, thus patching the user instead of effecting them?

Good try but no cigar! The worm actually get's its body from the machine that infected it, not from a fixed server. The worm got into our network (I'm guessing it came in on someone's laptop that got infected at home) and spread to a large number of machines with *no* tftp session off campus. We have long blocked tftp at the boarder. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.