Home |
Search |
Today's Posts |
#1
|
|||
|
|||
OT virus/NOT A HOAX
"danrahan" wrote in message ... This appears to be a variation on an old hoax. Ms Blast.exe appears to be a legit file. This virus does not show up on Symantic's list. I just received a warning from my antivirus program (E-Trust) warning me of the virus, along with a full report of how it works. NO HOAX. Update your antivirus NOW. Here is a snippet of what E-Trust sent me this morning: *********************************************** Win32.Poza is a worm using the exploit described in MS03-026 to gain access to unpatched Windows installation. More information about the exploit can be found in our Vulnerabilities Library or at the Microsoft site he http://www.microsoft.com/technet/sec...n/MS03-026.asp Method of Installation It creates a mutex "BILLY" to avoid running multiple instances of itself, and creates a registry value to activate on Windows restart: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wind ows auto update = "msblast.exe" The worm runs a FTP service listening on port 69 waiting for exploited machine to connect. Method of Distribution It starts by scanning the entire subnet for open 135 ports, then moves on to scan randomly selected class B subnets (255.255.0.0) to start scanning. If an open 135 port is found, it uses the exploit mentioned above to gain entry and create a remote shell on the exploited machine. It then assumes the exploit succeeded and attempts to connect to port 4444 of the remote machine. If successfully connected, it instructs the remote machine to download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service using TFTP.EXE. It then sends an instruction to start MSBLAST.EXE on the remote machine. Note: TFTP.EXE is an utility included by default in Windows installation of Windows 2000 and later versions. The worm is capable of keeping live connections to 20 exploited machines simultaneously. Payload If the day of the month is 16 or later, or the month is between January and August, the worm creates a working thread to send random data to windowsupdate.com almost continuously. This effectively launches a Distributed Denial of Service attack against windowsupdate.com. Additional Information The worm body contains these strings: I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! CA has also received reports from several sources that this worm may be seen, associated with crashes of svchost.exe. ************************************************** ** |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Are there virus resistant squash seeds? Virus killing my squash! | Gardening | |||
scientific method is a hoax? | Plant Science | |||
Hoax? | United Kingdom | |||
Deforestation a hoax. | alt.forestry | |||
Deforestation a hoax | alt.forestry |