 | Prep for USMLE |
| Forum | Resources | New Posts | Register | Login | » |
|
| Author | 7 Posts | |||||||||||||||||||||||||||||||||||||||||||||||||
|
Anno Domini
Moderator Topics: 293 Posts: 727 |
It is restarting your computers while you are on the internet be very careful.Many comp are infected. It attack systems like NT4, win2000 i winXP.
|
Prep4USMLE.com
|
Advertisement
|
|
Anno Domini
| Moderator Topics: 293 Posts: 727
It will probably attack windowsupdate.com SYN floodom on 16 august.
|
Anno Domini
| Moderator Topics: 293 Posts: 727
Read this from microsofthttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
|
Dan Ivanov
| Forum Senior Topics: 14 Posts: 105
Thank you Anno for notification, We'll be careful. Dan
|
Anno Domini
| Moderator Topics: 293 Posts: 727
RPC DCOM WORM (MSBLASTER) This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. ********** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. ********** Increase in port 135 activity: http://isc.sans.org/images/port135percent.png In order to protect yourself, you need to : Close port 135 (if possible 135-139, 445 and 593) Apply Patches www.microsoft.com/technet/s...rity/bulletin/MS03-026.asp If you are infected: - disconnect machine from any network - delete msblast.exe - delete registry key staring msblast.exe - reboot. The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP. The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only. Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port 4444 at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444, 4. the target will now connect to the tftp server at the SOURCE. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes) So far we found the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot
|
Wyoming Sioux
| Forum Newbie Topics: 4 Posts: 9
As a matter of fact, my system was hit by the worm 2 days ago. Many Windows users were also affected last week. Fortunately, I was able to find the solution via the Microsoft forums (a patch is needed). I hope you do not encounter it...it is an extremely distressing problem, especially when you don't recognize it. If you ever get the message "Windows needs to restart because the Remote Call Procedure (RPC) terminated unexpectedly", and your computer then restarts after a 30 second countdown, you have the virus.
|
Anno Domini
| Moderator Topics: 293 Posts: 727
Dan Ivanov has probaly located the source of this virus.It is on coolgoose.com.I know that lot of you guys were there so you will have to stop going there for a while.
|
|
| | |||||||||||||||||||||||||||||||
|
This thread is closed, so you cannot post a reply.
 Similar forum topicsUzaq part-time iş bir köpek ve bir iş istiyorum Riske dayalı iş | Related resources Physiology: Review for New National Boards Pathology: Review for New National Boards |
Advertise | Support | Premium | Contact |