Re: [Full-Disclosure] Windows Dcom Worm Killer and source code

From: w g (xillwillxat_private)
Date: Wed Aug 13 2003 - 19:46:09 PDT

Next message: Nathan Seven: "Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"

Previous message: Frog Man: "BBCode XSS in XOOPS CMS"
In reply to: w g: "[Full-Disclosure] Windows Dcom Worm Killer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

source available here
http://illmob.org/sources/DCOMkill.html

1.6 kb assembly program to kill and remove the dcom worm

http://illmob.org/files/dcomkiller.zip

DETAILS:

DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Coded in MASM by:
illwill
xillwillxat_private
www.illmob.org

8/13/2003
This program is a tool to remove the malicious worm
th! at spreads through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOMKill.exe
This will automatically kill the worms process
running in memory and remove the registry startup method
and then it will erase any files left by the worm.

2. All done :) ... next step
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it
updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature,
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Nathan Seven: "Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
Previous message: Frog Man: "BBCode XSS in XOOPS CMS"
In reply to: w g: "[Full-Disclosure] Windows Dcom Worm Killer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 21:57:54 PDT