Hosting Provided By

Re: Blasting Blaster.Worm (aka LovSan Virus)

From: iDaemon Security <security(at)securedaemon.net>
Date: Tue Aug 12 2003 - 22:30:52 EDT

It is very well described in the Symantec Alerts we get.

Here is a brief description of how it infects:

worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP (and UDP... it is safe to assume that traffic will use TCP and/or UDP, so please assume UDP is implied for the rest of my comments)
worm causes buffer overflow, yielding a shell on 4444/TCP which intiates outbound tftp to the host it was infected from,downloading msblaster.exe and dropping it on the newly infected host which is rebooted so that msblaster.exe is run on startup
msblaster.exe propagates outbound and listens on 69/TCP (which is tftp in case you don't have an /etc/services handy), infecting more hosts and serving out msblaster.exe via tftp

Log/sniff/block 135/TCP, 4444/TCP (which is the port used by krb524, a Kerberos migration service), and 69/TCP.

Regards,

Chris

On Tue, 2003-08-12 at 13:40, Alavan wrote:
> All,
>
> We're a small ISP providing T-1 access to residents of apartment

-- 
iDaemon Security 
Securedaemon.net


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Received on Wed Aug 13 01:55:41 2003

This message: [ Message body ]
Next message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Previous message: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Reply: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:16 EDT

Do you need help?