Re[2]: First Dcom Worm on wild

Hello Carlos,

don't forget to del the registry entrys in run :-)

btw below the answer from mcafee which i send the virus.

AVERT Labs, Beaverton
Current Scan Engine Version:4.2.60

Current DAT Version:4283

Thank you for your submission.

CL> We have found a file in XP servers named MSBLAST.EXE exploiting the DCOM CL> vulnerability.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CL> Our servers kept rebooting, we deleted this file and they stopped. I CL> guess we are seeing as a new malicious code.

CL> Carlos Lang

CL> -----Mensaje original-----
CL> De: Frank Nusko [mailto:BrAinsTorM@quakenet.biz] 
CL> Enviado el: Lunes, 11 de Agosto de 2003 02:37 p.m.
CL> Para: focus-virus@securityfocus.com
CL> Asunto: First Dcom Worm on wild

CL> Today i detected the first worm on wild which spreads itself.

CL> The executable is named msblast.exe and contains the strings:

CL> "SAY LOVE YOU SAN!! Bill gates you make it possible"

CL> as far as i covered from the compressed/packed exe it uses the 48 target

CL> xpl.

CL> After a succesful executing on your system it begins scanning other CL> system

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CL> starting from 192.168.0.1 and going up all ip and classes.

CL> so long,

CL> if you catch more informations lemme know them

CL> regards

CL> Frank

CL> ------------------------------------------------------------------------
CL> ---
CL> ------------------------------------------------------------------------