>From the AUSCERT announcement >It usually arrives as DLLHOST.EXE (~10,240 bytes) and opens port 707, for its malicious routines. >Similar to the earlier MSBLAST worm variants, this malware also exploits the RPC DCOM Buffer >Overflow,and instructs target systems to download its copy from the affected system using the TFTP >program [1]
>creates a backdoor listening on TCP/707 or some other randomly chosen port between TCP/666 and >TCP/765 [2] Telnetting to this port seems to disconnected after 1-5 characters have been entered? This doesn't look like TFTP (port 65/tcp&UDP), and the windows tftp client doesn't seem to offer any means of specifying a port to connect to? Is this some kind of password protected backdoor ? Barry [1]http://www.auscert.org.au/render.html?it=3359&cid=1 [2]http://securecomputing.stanford.edu/win-rpc.html -- Barry Irwin [EMAIL PROTECTED] http://lair.moria.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
