Nick VR4
19-07-2003, 04:55 PM
BTT
I'm editing this as there is a New Virus that exploits this vulnerability in MS Operation Systems already seen a few posts with People getting errors and it disconnets you from WWW
----------------------------------------------------------------------
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled INSERT INTO post VALUES (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. INSERT INTO post VALUES (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key INSERT INTO post VALUES (may be either of the following):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "windows auto update" = msblast.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
----------------------------------------------------------------------
You might want to get the patches for this
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
I'm editing this as there is a New Virus that exploits this vulnerability in MS Operation Systems already seen a few posts with People getting errors and it disconnets you from WWW
----------------------------------------------------------------------
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled INSERT INTO post VALUES (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. INSERT INTO post VALUES (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key INSERT INTO post VALUES (may be either of the following):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "windows auto update" = msblast.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
----------------------------------------------------------------------
You might want to get the patches for this
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003