RPC/DCOM Worm released

Tuesday, August 12 2003 @ 03:06 AM EDT

Contributed by: William Reyor

Is your computer rebooting all by itself every time you log on to the internet? This and more are symptoms of a new worm that was released 8/11/03 into the wilds of the internet. The worm, which infects new hosts though the recently discovered(7/16/03) security flaw in windows xp involving RPC/DCOM, is probably the cause of your rebooting. For a complete analysis of the worm see Symantec's indepth report. For a binary version of the worm click here(LIVE WORM, DANGER!) - (Worm capture and hosting compliments of Nils SommerFor removal instructions see below

We've all been warned. The DHS has issued multiple warnings. News around the world warned that it wasn't a question of if but when a worm would be released for the DCOM vulnerability. So to those who are infected, be happy that the worm doesn't have a completely destructive payload. From what I've read and heard regarding the worm eludes that this is only a taste of what's to come. So if you aren't patched and your antiviral software isn't updated be aware that this may not be the end of the DCOM mess.

Here are some simple removal instructions:

1. Enable your windows XP Firewall (If using XP) if not, use a 3rd party firewall. to block ports 135-139 / 445-593 and 4444
2. patch the machine
3. remove registry entries containing "msblast.exe"
4. reboot
5. remove msblast.exe

Note that when patching system, it's been reported that if multiple patches are applied at once that DCOM patch is overwritten, so be sure to reboot after the installation of each patch.

Comments (0)

Topsight.net
http://www.topsight.net/article.php/20030812030632419