FW: What the heck is this msblast.exe

Drew Weaver drew.weaver at thenap.com
Tue Aug 12 14:10:08 UTC 2003




The real injustice is the 15k program someone sent to sec-focus that you
type in an IP address and it returns a command prompt on the target machine
(eek).

-Drew


-----Original Message-----
From: Rod Trent [mailto:rodtrent at yahoo.com] 
Sent: Monday, August 11, 2003 6:45 PM
To: Lee_Fisher at NAI.com; morris_minchu at iwon.com; focus-ms at securityfocus.com
Subject: RE: What the heck is this msblast.exe

Medium????  That's an irresponsible rating, considering that both MS and the
Department of Homeland Security have listed the vulnerability as critical. 

-----Original Message-----
From: Lee_Fisher at NAI.com [mailto:Lee_Fisher at NAI.com] 
Sent: Monday, August 11, 2003 6:27 PM
To: morris_minchu at iwon.com; focus-ms at securityfocus.com
Subject: RE: What the heck is this msblast.exe

>From your description I would imagine it to be the Blaster ( We called it
W32/Lovsan.worm )

Many posts on forums - We list it as a Medium On Watch alert - other AV orgs
have a similar classification.

http://vil.nai.com/vil/content/v_100547.htm

Lee Fisher
Solutions Architect
McAfee Product Management

-----Original Message-----
From: Minchu Mo
To: focus-ms at securityfocus.com
Sent: 11/08/03 15:00
Subject: What the heck is this msblast.exe



The code resides in c:\winnt\system32.



It somehow change my registry and pretend to be Window autoupdate in 

\Localsystem\software\microsoft\window\run, so it can run when I boot the 

machine.  Now it sending out packet to random(?)IP 's endpoint port

------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web application
security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web application
security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------



More information about the NANOG mailing list