RE: DCOM Worm released

["Marc Maiffret" <marc () eeye com>]

Transfers are done from the infected host.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin () lists netsys com
| [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Dennis
| Opacki
| Sent: Monday, August 11, 2003 2:41 PM
| To: Full-Disclosure (E-mail)
| Subject: Re: [Full-disclosure] DCOM Worm released
|
|
|
| Can anyone confirm whether the tftp transfers appear to be solely from the
| hosts listed in the initial sans.org note (which now appear to have been
| taken down), or is the transfer done from the infecting host?
|
| TIA,
|
| -Dennis
|
| On Mon, 11 Aug 2003, Joey wrote:
|
| > They found a worm, but since it uses tftp servers that
| > can be taken down and since tftp is slow, it shouldnt
| > have much of an effect.
| >
| > "Scans sequentially for machines with open port 135,
| > starting at a presumably random IP address" - very
| > stupid way to spread!
| >
| > http://isc.sans.org/diary.html?date=2003-08-11
| >
| > __________________________________
| > Do you Yahoo!?
| > Yahoo! SiteBuilder - Free, easy-to-use web site design software
| > http://sitebuilder.yahoo.com
| > _______________________________________________
| > Full-Disclosure - We believe in it.
| > Charter: http://lists.netsys.com/full-disclosure-charter.html
| >
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html