|
Description:
This variant of WORM_MSBLAST.A similarly exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which compromises network security by allowing an attacker to gain full access and execute any code on a target machine.
This variant is similar to WORM_MSBLAST.A except for the name of its file, which is PENIS32.EXE. It is also a decompressed version of the UPX-compressed A variant.
For a general overview of the MSBLAST family of worms, please refer to the Virus Encyclopedia entry for WORM_MSBLAST.GEN.
This worm continuously scans for random IP addresses (x.x.x.0) and sends data to vulnerable systems in the network using port 135.
On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:
- On the 16th to the 31st day of the following months:
- January
- February
- March
- April
- May
- June
- July
- August
- Any day in the months of September to December.
For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:
Important: Users of affected systems are strongly advised to apply the necessary patch, which is available on the Microsoft page cited above.
The RPC DCOM vulnerability affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm, however, can only propagate into systems running Windows 2000 and XP.
Users are also advised to visit the following page for more information from Microsoft:
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 13, 2003 10:51:24 AM GMT -0800
Description updated: Aug. 16, 2003 9:35:52 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
