|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: RPC errors
http://vil.nai.com/vil/content/v_100547.htm -BM -----Original Message----- From: Chris Reining [mailto:[email protected]] Sent: Monday, August 11, 2003 5:36 PM To: Sean Donelan Cc: Jack Bates; NANOG Subject: Re: RPC errors On Mon, Aug 11, 2003 at 04:17:53PM -0400, Sean Donelan wrote: > On Mon, 11 Aug 2003, Jack Bates wrote: > > I'm showing signs of an RPC sweep across one of my networks that's > > killing some XP machines (only XP confirmed). How wide spread is > > this at this time. Also, does anyone know if this is just generating > > a DOS symptom or if I should be looking for backdoors in these > > client systems? > > http://isc.sans.org/diary.html?date=2003-08-11 > The worm uses the RPC DCOM vulnerability to propagate. One it finds a > vulnerable system, it will spawn a shell and use it to download the > actual worm via tftp. > > The name of the binary is msblast.exe. It is packed with UPX and will > self extract. The size of the binary is about 11kByte unpacked, and > 6kBytes > packed: I have a copy of this worm at http://www.packetfu.org/malware/msblast.zip
|