|
Description:
This worm usually arrives as DLLHOST.EXE (~10,240 bytes) on target systems. It also opens ports between port 666 to port 765 for its malicious routines.
(Note: There is a normal system file named DLLHOST.EXE that is 6 kilobytes.)
Propagation
Similar to the earlier MSBLAST worm variants, this malware also exploits the RPC DCOM Buffer Overflow, and instructs target systems to download its copy from the affected system using TFTP (Trivial File Transfer Protocol). More information and patch links relating to the RPC DCOM Buffer Overflow are available at the Microsoft page:
This worm also uses a WebDAV exploit to propagate to unpatched systems. For more information and patch links relating to the WebDAV exploit, please refer to the following Microsoft page:
Important: Users of affected systems are strongly advised to apply the necessary patches. Note that the patch provided in Microsoft Security Bulletin MS03-007 is superceded by the patch available on Microsoft Security Bulletin MS03-013. To avoid known problems on systems running Windows 2000 SP2 and Windows XP SP1, users are advised to use the patch on MS03-013.
Patch Download
This worm is also designed to patch systems against the RPC DCOM Buffer Overflow. It first checks for the running Windows version and then downloads a patch from Microsoft. Note, however, that this worm does not have a mechanism which checks for the required service pack needed to install the patch. Thus, on systems where the required service packs are not installed, the downloaded patch are similarly left uninstalled.
Additional Details
When the current system year is 2004, this worm automatically removes itself from the system. It runs on Windows 2000 and XP.
Users are also advised to visit the following page for more information from Microsoft:
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 18, 2003 5:42:21 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
