1 reply to this topic

[ZATZAi]

Rather than re-post the article, go here, this worm is bad mojo, very bad...

MSBlaster Worm Article

NOTE: Sorry, I'm not trying to promote my site, just warn people about this worm as quickly as possible, it works very fast!

[cxwq]

According to Russ at NTBugtraq, the worm acts as follows:

a) attacker runs a TFTP server due to the worm code.
b) TCP135 connection from attacker to victim.
c) a command shell is established on victim listening on TCP4444
d) attacker sends command, via command shell, to cause victim to invoke TFTP.exe to attacker to retrieve msblast.exe
e) attacker sends command, via command shell, to cause victim to invoke msblast.exe
f) attacker drops connection victim command shell, victim command shell stops listening on 4444
g) victim starts TFTP server and processes other instructions in msblast (to modify the registry keys, start attacks on TCP135, etc...)

Some useful links:

CERT/CC Advisory CA-2003-19
http://www.cert.org/...CA-2003-19.html

Microsoft Security Bulletin MS03-26
http://support.micro...com?kbid=823980

Trend Micro Removal Tool:
http://www.trendmicr...ownload/tsc.asp

F-Secure Removal Tool:
http://www.f-secure....s/msblast.shtml

Computer Associates Removal Tool:
http://www3.ca.com/v...s.aspx?ID=36265

McAfee/NAI Removal Tool:
http://vil.nai.com/vil/stinger/

Original xfocus Exploit Analysis and Code:
http://www.xfocus.or...s/200307/2.html