F-Prot Slipping

Mike Kercher mike at CAMAROSS.NET
Thu Aug 14 04:14:48 IST 2003 

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htm
l

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
(described in Microsoft Security Bulletin MS03-026) using TCP port 135. The
worm targets only Windows 2000 and Windows XP machines. While Windows NT and
Windows 2003 Server machines are vulnerable to the aforementioned exploit
(if not properly patched), the worm is not coded to replicate to those
systems. This worm attempts to download the msblast.exe file to the
%WinDir%\system32 directory and then execute it. The worm has no
mass-mailing functionality.



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Nathan Johanson
Sent: Wednesday, August 13, 2003 9:09 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: F-Prot Slipping


I must be missing something here... All the descriptions I've read about
this virus make no mention of an email component. Does this worm spread via
email?

I was under the impression that this virus infects unprotected Windows
computers on the Internet--machines not protected by a firewall w/ all of
the corresponding ports open to the world (TCP 135, TCP 4444, UDP 69). I
haven't read anything about that being a email component. 

Most of the virus descriptions (including this snippet from CERT) seem to
support this concept and make no mention of email:

Known exploits target TCP port 135 and create a privileged backdoor command
shell on successfully compromised hosts. Some versions of the exploit use
TCP port 4444 for the backdoor, and other versions use a TCP port number
specified by the intruder at run-time. We have also received reports of
scanning activity for common backdoor ports such as 4444/TCP.

Someone please correct me if I'm wrong. Thanks.

Nathan

-----Original Message-----
From: Raymond Dijkxhoorn [mailto:raymond at PROLOCATION.NET] 
Sent: Wednesday, August 13, 2003 12:48 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: F-Prot Slipping


Hi!

> I was right.  F-Prot just included a fix for MSBlaster as of today.
This
> virus has been causing grief here since Aug 8.  Here's a direct quote
from
> F-Prot.

No you're not =) See my other posting :)

> Users of F-Prot Antivirus should update their virus signature files 
> immediately. W32/Msblast.C is detected by F-Prot Antivirus using virus 
> signature files dated 13 August 2003 and later.

And also the .B version, the .A version was allready detected. I have a
couple of hundered in my archive, so i am pretty sure it works.

Thanks.
Raymond.

More information about the MailScanner mailing list