RE: Blasting Blaster.Worm (aka LovSan Virus)

From: Eric Hines (eric.hinesat_private)
Date: Tue Aug 12 2003 - 17:17:56 PDT

Next message: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"

Previous message: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"
Maybe in reply to: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alavan,

The worm spawns a shell on TCP port 4444 on the infected host. The worm issues 
commands through tftp downloading msblast.exe which it then starts over its 
shell. You can do some sniffing for TCP 4444 or simply, just grab all outbound 
port 135 traffic :D



-------------------------------------------
Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hinesat_private
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------






---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"
Previous message: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"
Maybe in reply to: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 23:09:37 PDT