On Thursday 14 August 2003 07:29 am, Bruce Martins wrote: > It would seem that there is a third according to Symantec > > http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.wo > rm.html > > Which drops in a little backdoor component has anyone seen this one out > there yet? The Blaster.c "variant" worm doesn't drop the backdoor component - the index.exe dropper drops the worm AND the backdoor. The Blaster.c worm itself is nothing more than Blaster.a with some string data altered, the filename changed and repacked with FSG instead of UPX. The worm then carries out the same functions as Blaster.a. It does not spread the backdoor around, so you may see systems infected with the Blaster.c worm but not the backdoor (if it manages to spread at all in the wake of Blaster.a). The dropper package is probably being spread manually or via an auto-rooter, since it has no integrated code to copy itself to infected systems. The Blaster.b (p 3 n 1 s) variant is nothing more than the Blaster.a variant with one string changed, the file renamed and repacked with upx. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 17:03:31 PDT