RPC errors
Brennan_Murphy at NAI.com
Brennan_Murphy at NAI.com
Mon Aug 11 21:46:42 UTC 2003
http://vil.nai.com/vil/content/v_100547.htm
-BM
-----Original Message-----
From: Chris Reining [mailto:creining at packetfu.org]
Sent: Monday, August 11, 2003 5:36 PM
To: Sean Donelan
Cc: Jack Bates; NANOG
Subject: Re: RPC errors
On Mon, Aug 11, 2003 at 04:17:53PM -0400, Sean Donelan wrote:
> On Mon, 11 Aug 2003, Jack Bates wrote:
> > I'm showing signs of an RPC sweep across one of my networks that's
> > killing some XP machines (only XP confirmed). How wide spread is
> > this at this time. Also, does anyone know if this is just generating
> > a DOS symptom or if I should be looking for backdoors in these
> > client systems?
>
> http://isc.sans.org/diary.html?date=2003-08-11
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> vulnerable system, it will spawn a shell and use it to download the
> actual worm via tftp.
>
> The name of the binary is msblast.exe. It is packed with UPX and will
> self extract. The size of the binary is about 11kByte unpacked, and
> 6kBytes
> packed:
I have a copy of this worm at
http://www.packetfu.org/malware/msblast.zip
More information about the NANOG
mailing list