is it even possible for a worm with dcom vuln?

After the release of the few exploits which take advantage of the dcom / rpc vulnerability I began thinking to myself how this could
possibly be turned into a worm. The exploits that have already been written use hard coded offsets for the different sp's/os's. So this would not work for a worm template. Also it requires a few requests so this would not be a very fast worm in theory. Also after
the service is exploited the service fails. I could see a few issues with a 'universal offset' for a jmp esp/call esp or any other way
  to get the worm instructions to begin executing. The vast differences in operating systems could make the threat of this being a worm
  smaller in my mind. With the IIS worms (code red) they had it easy because the service would just restart itself, and is only attacking one particular version with the same base addresses. So I guess what I'm asking is, is it even feasible to write a worm for
  this particular vulnerability? I would imagine the worm would need to be pretty advanced in finding the correct offsets prior to exploitation, without crashing svchost.exe. Now I am in no way down playing the threat of this vulnerability and I find it to probably
be the largest thing to ever hit windows. I just want to hear other peoples thoughts on this subject. Or a worm could attack a single
operating system/sp but that wouldn't be nearly as damaging as a worm that could attack all versions of windows (nt4-win2k3) and sp's.   

Any thoughts?
-wire
--

Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf Received on Mon Jul 28 16:00:52 2003