Re: is it even possible for a worm with dcom vuln?

A highly-effective worm would be not be difficult to write for the reasons below. Residential ISP's should start blocking 445 and 135 immediately. Corporate networks should block these ports in both directions at every major gateway as soon as possible.

It would only take one compromised node to turn a corporation's internal network to mush. Coupled with an email or web-based delivery system, a DCOM worm could easily start spawning itself in the center of even the most security-concious organizations.

1. There *are* universal return address for both Win2K and WinXP. No I am not going to post these anywhere, people can find them for themselves. The non-english versions may or may not work with these, I have not had the chance to test.
2. You can determine whether a host is 2K or XP using a number of different ways. The easiest method is by looking at the Native LanMan version you recieve when establishing a SMB session. I have heard that there are ways to identify a system through DCOM queries as well, but have no code in hand to prove it.
3. Since the easiest targets are Win2K and WinXP, simply scanning for 445, determining XP/2K, and exploiting 135 would be very simple to do. All systems with 445/tcp open are more than likely XP/2K. Any system with 445/tcp open more than likely has 135 open as well.

-HD

On Sunday 27 July 2003 12:09 pm, wirepair wrote:
> I would imagine the worm would need to
Received on Mon Jul 28 17:03:00 2003