Rather than re-post the article, go here, this worm is bad mojo, very bad...
MSBlaster Worm Article
NOTE: Sorry, I'm not trying to promote my site, just warn people about this worm as quickly as possible, it works very fast!
1 reply to this topic
#1
Posted 12 August 2003 - 01:43 AM
#2
Posted 12 August 2003 - 11:06 AM
According to Russ at NTBugtraq, the worm acts as follows:
a) attacker runs a TFTP server due to the worm code.
b) TCP135 connection from attacker to victim.
c) a command shell is established on victim listening on TCP4444
d) attacker sends command, via command shell, to cause victim to invoke TFTP.exe to attacker to retrieve msblast.exe
e) attacker sends command, via command shell, to cause victim to invoke msblast.exe
f) attacker drops connection victim command shell, victim command shell stops listening on 4444
g) victim starts TFTP server and processes other instructions in msblast (to modify the registry keys, start attacks on TCP135, etc...)
Some useful links:
CERT/CC Advisory CA-2003-19
http://www.cert.org/...CA-2003-19.html
Microsoft Security Bulletin MS03-26
http://support.micro...com?kbid=823980
Trend Micro Removal Tool:
http://www.trendmicr...ownload/tsc.asp
F-Secure Removal Tool:
http://www.f-secure....s/msblast.shtml
Computer Associates Removal Tool:
http://www3.ca.com/v...s.aspx?ID=36265
McAfee/NAI Removal Tool:
http://vil.nai.com/vil/stinger/
Original xfocus Exploit Analysis and Code:
http://www.xfocus.or...s/200307/2.html
a) attacker runs a TFTP server due to the worm code.
b) TCP135 connection from attacker to victim.
c) a command shell is established on victim listening on TCP4444
d) attacker sends command, via command shell, to cause victim to invoke TFTP.exe to attacker to retrieve msblast.exe
e) attacker sends command, via command shell, to cause victim to invoke msblast.exe
f) attacker drops connection victim command shell, victim command shell stops listening on 4444
g) victim starts TFTP server and processes other instructions in msblast (to modify the registry keys, start attacks on TCP135, etc...)
Some useful links:
CERT/CC Advisory CA-2003-19
http://www.cert.org/...CA-2003-19.html
Microsoft Security Bulletin MS03-26
http://support.micro...com?kbid=823980
Trend Micro Removal Tool:
http://www.trendmicr...ownload/tsc.asp
F-Secure Removal Tool:
http://www.f-secure....s/msblast.shtml
Computer Associates Removal Tool:
http://www3.ca.com/v...s.aspx?ID=36265
McAfee/NAI Removal Tool:
http://vil.nai.com/vil/stinger/
Original xfocus Exploit Analysis and Code:
http://www.xfocus.or...s/200307/2.html
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users