On Sat, 2 Aug 2003 11:58:00 -0500
"mobly99" <[EMAIL PROTECTED]> wrote:
> Seems to be a possible worm based on the RPC/DCOM exploit making the
> rounds?
Definetly. Depending on the logfiles from our Firewall at work, there must be
something out there. Infected machines found at:
156.34.222.0/24
194.96.90.0/24
196.30.232.0/24
200.0.0.0/8
202.0.0.0/8
and so on. Their traffic is about 50-75% of a day's traffic. Fortunately without any
damage to our systems. The worm seems to check hosts with a funny ryhtm within a
Subnet:
IP=123.123.123.1
$IP+5
$IP+1
$IP+4
$IP+2
$IP+3
$IP+3
$IP+2
$IP+4
$IP+1
$IP+5
...
...
Dunno why but I found it out reading the 24h output of our Firewall. The coder must be
stupid/[totally stoned] or simply made a mistake coding the loops for scanning.
Strange thing,
Lukas
> puts these files in %systemdrive%
> rpc.exe
> rpctest.exe
> tftpd.exe
> worm.exe
> lolx.exe
>
> also in %windir%\system32
> lolx.exe
> dcomx.exe
>
> rpc.exe and dcomx.exe appear in the running tasks.
>
>
> I pulled samples of them and submitted to SARC.
>
>
> -Dave
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
