Discussion in 'malware problems & news' started by FanJ, Aug 11, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    See also the following threads:

    RPC DCOM Exploit - Widespread use...

    Outbreaks of RPC vulnerable systems


    From TrendMicro:

    Dear Trend Micro customer,

    TrendLabs has received several infection reports of this new worm named WORM_MSBLAST.A which exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

    This worm has been observed to continuously scan and send data to vulnerable systems in the network using port 135. When the system date is August 15, it performs a Distributed Denial Of Service attack against windowsupdate.com.

    As of 1:54 PM, US Pacific Time, Trend has declared a yellow alert to control the spread of this malware.

    TrendLabs HQ will be releasing the following EPS deliverables within the next few minutes:

    - Official Pattern Release 604
    - TMCM Outbreak Prevention Policy 43
    - Damage Cleanup Template 143


    For more information on WORM_MSBLAST.A, please visit our Web site at:


    From Sophos:


    Aliases :
    W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A

    Type : Win32 worm

    W32/Blaster-A is a worm that scans networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit.

    On finding a suitable victim, the worm causes the remote machine to acquire a copy of the worm using TFTP.

    Additionally the worm creates the following registry entry so as to run on system start:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update

    After August 15 the worm will launch a distributed denial-of-service attack on windowsupdate.com

    Microsoft has issued a patch for the vulnerability exploited by this Trojan. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Thread Status:
Not open for further replies.