New Windows DCOM Worm - msblast.exe (fwd)

From: Dave Ahmad (daat_private)
Date: Mon Aug 11 2003 - 13:49:37 PDT

Next message: Dave Ahmad: "DCOM worm analysis report: W32.Blaster.Worm"

Previous message: rootat_private: "Subnet Bandwidth Management (SBM) Protocol subject to attack via the Resource Reservation Protocol (RSVP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

---------- Forwarded message ----------
Return-Path: <david.vincentat_private>
Delivered-To: daat_private
Received: (qmail 4314 invoked from network); 11 Aug 2003 20:47:49 -0000
Received: from unknown (HELO mail.mightyoaks.com) (24.68.8.181)
  by mail.securityfocus.com with SMTP; 11 Aug 2003 20:47:49 -0000
Received: from stork.mightyoaks ([192.168.20.9] unverified) by
    mail.mightyoaks.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Mon, 11 Aug 2003 13:55:33 -0700
Received: by stork.mightyoaks.local with Internet Mail Service (5.5.2656.59)
	id <P9FJXTGS>; Mon, 11 Aug 2003 13:55:32 -0700
Message-ID: <6130FAF67D15D411BF7100E01899071F5F99F0at_private>
From: David Vincent <david.vincentat_private>
To: 'Dave Ahmad' <daat_private>
Subject: New Windows DCOM Worm -  msblast.exe
Date: Mon, 11 Aug 2003 13:55:31 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain;
	charset="iso-8859-1"
Return-Path: david.vincentat_private
X-OriginalArrivalTime: 11 Aug 2003 20:55:33.0058 (UTC)
    FILETIME=[E7E02A20:01C3604A]

dave, can you send this on to the list?  my cross-posting ways have left me
wondering which list you're wanting more details for.

message follows...

i've just got a copy of this Windows DCOM Worm from a nice fellow on another
list.

it matches the MD5 at http://isc.sans.org/diary.html?date=2003-08-11 of
5ae700c1dffb00cef492844a4db6cd69.  that's the EXE's MD5, not the unpacked
EXE version or the MD5 of the ZIP i received it in.  i have not launched it
yet, but i did note it made its way past three layers of virus protection
without being detected.

yes, we do use the same AV for all parts of our network, but that's 'cause
we're a small company with limited resources.  so don't bitch at me about
it.  :)

we've got NAV Corporate 8.00.0.9374 with scan engine 4.1.0.15 and
definitions of 06/08/2003 rev. 4 (the most current at this time) and it is
not detected.

David Vincent  CNA/MCSE
Network Administrator

www.mightyOaks.com
david.vincentat_private


MIGHTY OAKS WIRELESS SOLUTIONS INC.
209-3347 Oak Street
Victoria, B.C. Canada V8X 1R2
Phone: 250.386.9398   Fax:  250.386.9399
Pager: 250.380.4575   Cell: 250.884.3000

Next message: Dave Ahmad: "DCOM worm analysis report: W32.Blaster.Worm"
Previous message: rootat_private: "Subnet Bandwidth Management (SBM) Protocol subject to attack via the Resource Reservation Protocol (RSVP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 14:05:13 PDT