Weird Worm

Thing · August 19, 2003, 01:08 AM

W32.Welchia.Worm

Here are some of the highlights:

1. Exploits the DCOM RPC vulnerability (described in Microsoft Security
2. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.
3. Once the update has been download and executed, the worm will restart the computer so that the patch is installed.
4. The worm will also attempt to remove W32.Blaster.Worm.
5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.

Spht · August 19, 2003, 01:28 AM

Sounds like one fine-tasting worm.

Arta · August 19, 2003, 07:00 AM

It's not an uncommon idea

A good one if you ask me, although still illegal, AFAIK.

Yoni · August 19, 2003, 07:16 AM

Quote from: Arta[vL] on August 19, 2003, 07:00 AM
It's not an uncommon idea

A good one if you ask me, although still illegal, AFAIK.

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.

Skywing · August 19, 2003, 08:22 AM

Quote from: Yoni on August 19, 2003, 07:16 AM
Quote from: Arta[vL] on August 19, 2003, 07:00 AM
It's not an uncommon idea

A good one if you ask me, although still illegal, AFAIK.

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.

It'll still keep wasting lots of bandwidth constantly scanning for open machines.

EvilCheese · August 19, 2003, 02:55 PM

The MSBlast worm itself is something of a let-down.

I was unfortunate enough to be infected by it approximately 24 hours before the public knew about it.

After manually disabling it (which was a lot easier than it should have been for a well-written worm) I decompressed and reversed it.

Essentially it's a DDOS worm. The exe looks like it was written by someone who got a hold of the original exploit code and then bolted on a few features... an algorithm for random generation and scanning of IPs... and a simple addition which uses ftp to download itself.. oh... and dont forget the code which will packet-flood the windows update site

I would have expected to see some polymorphism, perhaps some backup measures to prevent deletion, or even some anti-anti-virus measures, but nope.

The worm was written by a newbie who knows a little about the FTP protocol and downloaded the (freely available) DCOM RPC exploit code from somwhere, or so it seems. Could have been 40 times nastier than it is. ;/

EvilCheese · August 19, 2003, 02:56 PM

Ewww, now I'm reviewing worms.

Need to stop thinking that way.

j0k3r · August 19, 2003, 03:04 PM

Quote5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.

Is this a permanent removal? Or does it leave traces of whatever it has done? Cause that seems like a pretty bad thing to do if your making a monster worm... Does that also mean that if you have the worm all you have to do is change the year to 2004?

iago · August 21, 2003, 06:43 PM

MSBlaster:
http://www.astalavista.com/code/assembly/A-decompilation-of-the-Lovesan-MSBLAST-Worm.txt

Raven · August 24, 2003, 04:08 PM

Apparently, MSBlaster doesn't even spoof or cloak itself from taskmanager, so one could easily tell if they're infecting by simply hitting CTRL+ALT+DEL, and it'll be right there. I patched myself anyway since I don't like having to deal with this stuff, but it seems that as destructive as the worm is, it's not very difficult to disable.

Hitmen · August 24, 2003, 07:26 PM

That's why it was considered dangerous at all, even if you end the process the computer still ends up shutting itself down within a few minutes. If you could just end it and be done it would be too easy to get rid of for it to be worthwhile.

Raven · August 24, 2003, 09:11 PM

That's not what I meant HT. I was talking about how easy it was to determine if a system was infected, and then take appropriate action to remove it.

Mesiah / haiseM · August 27, 2003, 12:47 AM

i knew about that volnerability about eh... a little while after windows 2000 came out.

All you have to do is go into your service list, change your device failure settings to take no action for the rpc, and that will keep your computer from restarting in that dreadful 60 seconds.

Plus norton is god so.. msblast is probably one of the worste attempt at a worm ive ever got..

I don't beleive in windows update, unless theres something good i want

Weird Worm

EvilCheese

EvilCheese

Raven

Raven