• Welcome to Valhalla Legends Archive.
 

Weird Worm

Started by Thing, August 19, 2003, 01:08 AM

Previous topic - Next topic

Thing

W32.Welchia.Worm

Here are some of the highlights:

1. Exploits the DCOM RPC vulnerability (described in Microsoft Security
2. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.
3. Once the update has been download and executed, the worm will restart the computer so that the patch is installed.
4. The worm will also attempt to remove W32.Blaster.Worm.
5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.
That sucking sound you hear is my bandwidth.

Spht

Sounds like one fine-tasting worm.

Arta

It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.

Yoni

Quote from: Arta[vL] on August 19, 2003, 07:00 AM
It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.

Skywing

Quote from: Yoni on August 19, 2003, 07:16 AM
Quote from: Arta[vL] on August 19, 2003, 07:00 AM
It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.
It'll still keep wasting lots of bandwidth constantly scanning for open machines.

EvilCheese

#5
The MSBlast worm itself is something of a let-down.

I was unfortunate enough to be infected by it approximately 24 hours before the public knew about it.

After manually disabling it (which was a lot easier than it should have been for a well-written worm) I decompressed and reversed it.

Essentially it's a DDOS worm. The exe looks like it was written by someone who got a hold of the original exploit code and then bolted on a few features... an algorithm for random generation and scanning of IPs... and a simple addition which uses ftp to download itself.. oh... and dont forget the code which will packet-flood the windows update site :P

I would have expected to see some polymorphism, perhaps some backup measures to prevent deletion, or even some anti-anti-virus measures, but nope.

The worm was written by a newbie who knows a little about the FTP protocol and downloaded the (freely available) DCOM RPC exploit code from somwhere, or so it seems. Could have been 40 times nastier than it is. ;/


EvilCheese

Ewww, now I'm reviewing worms.  :'(

Need to stop thinking that way.

j0k3r

#7
Quote5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.
Is this a permanent removal? Or does it leave traces of whatever it has done? Cause that seems like a pretty bad thing to do if your making a monster worm... Does that also mean that if you have the worm all you have to do is change the year to 2004?
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

iago

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Raven

Apparently, MSBlaster doesn't even spoof or cloak itself from taskmanager, so one could easily tell if they're infecting by simply hitting CTRL+ALT+DEL, and it'll be right there. I patched myself anyway since I don't like having to deal with this stuff, but it seems that as destructive as the worm is, it's not very difficult to disable. ;)

Hitmen

That's why it was considered dangerous at all, even if you end the process the computer still ends up shutting itself down within a few minutes. If you could just end it and be done it would be too easy to get rid of for it to be worthwhile.

Raven

That's not what I meant HT. I was talking about how easy it was to determine if a system was infected, and then take appropriate action to remove it. :)

Mesiah / haiseM

#12
i knew about that volnerability about eh... a little while after windows 2000 came out.

All you have to do is go into your service list, change your device failure settings to take no action for the rpc, and that will keep your computer from restarting in that dreadful 60 seconds.

Plus norton is god so.. msblast is probably one of the worste attempt at a worm ive ever got..

I don't beleive in windows update, unless theres something good i want :P
]HighBrow Innovations
Coming soon...

AIM Online Status: