Re: [Full-Disclosure] DCOM WORM Killer 2.0

[w g <xillwillx@yahoo.com>]

<P><A href="http://illmob.org/rpc/cleaners/dcom2.zip";>http://illmob.org/rpc/cleaners/dcom2.zip</A></P>
<P>kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb&nbsp;(gotta love assembly)&nbsp;</P>
<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Coded in MASM by:<BR>&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; illwill&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <A href="mailto:xillwillx@yahoo.com";>xillwillx@yahoo.com</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.illmob.org/";>www.illmob.org</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR></P>
<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; DCOM worm killer (W32.Blaster.Worm) <BR>&nbsp;Aliases:&nbsp; W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]<BR>WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]<BR>etc..... blablablabla keep changing it motherfuckers we'll still find yer ass&nbsp;&nbsp; :)</P>
<P><BR>&nbsp;This program is a tool to remove the malicious worm(s)<BR>&nbsp;that spread through exploiting the DCOM RPC vulnerability using TCP port 135. <BR>&nbsp;This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.<BR>&nbsp;Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, <BR>&nbsp;allowing an attacker to issue remote commands on the infected system.<BR>&nbsp;This tool was made to Automate the process of removing the worm from memory and all files related to it.</P>
<P>-------------------------------------------------------------------------<BR>&nbsp;Directions:<BR>&nbsp;1. Execute the file called DCOM2.exe<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; a. Deletes the registry values that have been added.<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes. <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files. <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d. Deletes the dropped files.&nbsp;</P>
<P>-------------------------------------------------------------------------<BR>Tech Info:<BR>Startup registry keys-<BR>&nbsp; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR>&nbsp; "windows auto update"="msblast.exe"<BR>&nbsp; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR>&nbsp; "windows auto update"="penis32.exe"<BR>&nbsp; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR>&nbsp; "Microsoft Inet Xp.."="teekids.exe"</P>
<P>Dropped files-<BR>&nbsp;Windows system directory (c:\windows\system32 c:\winnt\system32)<BR>&nbsp;'msblast.exe'&nbsp; 'penis32.exe'&nbsp; 'teekids.exe' 'root32.exe' 'index.exe'</P>
<P>Source:<BR><A href="http://illmob.org/sources/DCOM2.html";>http://illmob.org/sources/DCOM2.html</A><BR><A href="http://illmob.org/sources/DCOM2.asm";>http://illmob.org/sources/DCOM2.asm</A><BR></P><p><hr SIZE=1>
Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</a> - Free, easy-to-use web site design software