Re: possible MS03-026 worm?

[tcpdumb <tcpdumb () pentiumbuster homelinux com>]

On Sat, 2 Aug 2003 11:58:00 -0500
"mobly99" <dhopper () ameritech net> wrote:

> Seems to be a possible worm based on the RPC/DCOM exploit making the
> rounds?

Definetly. Depending on the logfiles from our Firewall at work, there must be something out there. Infected machines 
found at:

156.34.222.0/24 
194.96.90.0/24
196.30.232.0/24
200.0.0.0/8
202.0.0.0/8

and so on. Their traffic is about 50-75% of a day's traffic. Fortunately without any damage to our systems. The worm 
seems to check hosts with a funny ryhtm within a Subnet:

IP=123.123.123.1

$IP+5
        $IP+1
$IP+4
        $IP+2
$IP+3
        $IP+3
$IP+2
        $IP+4
$IP+1
        $IP+5
...
        ...


Dunno why but I found it out reading the 24h output of our Firewall. The coder must be stupid/[totally stoned] or 
simply made a mistake coding the loops for scanning.
Strange thing,

        Lukas

> puts these files in %systemdrive%
> rpc.exe
> rpctest.exe
> tftpd.exe
> worm.exe
> lolx.exe
>
> also in %windir%\system32 
> lolx.exe 
> dcomx.exe
>
> rpc.exe and dcomx.exe appear in the running tasks. 
>
>
> I pulled samples of them and submitted to SARC.
>
>
> -Dave
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html