[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Windows Dcom Worm Killer
- To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] Windows Dcom Worm Killer
- From: w g <xillwillx@yahoo.com>
- Date: Tue, 12 Aug 2003 23:19:28 -0700 (PDT)
<DIV>1.6 kb assembly program to kill and remove the dcom worm</DIV>
<DIV> </DIV>
<DIV><A href="http://illmob.org/files/dcomkiller.zip";>http://illmob.org/files/dcomkiller.zip</A></DIV>
<DIV> </DIV>
<DIV>DETAILS:</DIV>
<DIV> </DIV>
<DIV> DCOM worm killer (W32.Blaster.Worm) <BR> Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]<BR> WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]</DIV>
<DIV> Coded in MASM by:<BR> illwill <BR> <A href="mailto:xillwillx@yahoo.com";>xillwillx@yahoo.com</A> <BR> <A href="http://www.illmob.org";>www.illmob.org</A> <BR> <BR> 8/13/2003<BR> This program is a tool to remove the malicious worm<BR> th!
at
spreads through exploiting the DCOM RPC vulnerability using TCP port 135. <BR> This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.<BR> Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, <BR> allowing an attacker to issue remote commands on the infected system.<BR> This tool was made to Automate the process of removing the worm from memory and all files related to it.</DIV>
<DIV>-------------------------------------------------------------------------<BR> Directions:<BR> 1. Execute the file called DCOMKill.exe<BR> This will automatically kill the worms process <BR> running in memory and remove the registry startup method<BR> and then it will erase any files left by the worm.<BR> <BR> 2. All done :) ... next step <BR> W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, <BR> and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it <BR> updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.</DIV>
<DIV>-------------------------------------------------------------------------<BR>Tech Info:<BR>Startup registry key-<BR> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR> "windows auto update"="msblast.exe"</DIV>
<DIV>Dropped files-<BR> Windows system directory (c:\windows\system32 c:\winnt\system32)<BR> msblast.exe</DIV>
<DIV>Note:<BR>if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature, </DIV>
<DIV>which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan </DIV>
<DIV>infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.</DIV>
<DIV>Source:<BR>available upon request.<BR></DIV><p><hr SIZE=1>
Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</a> - Free, easy-to-use web site design software