Mailing List Archive

Windows Dcom Worm Killer
1.6 kb assembly program to kill and remove the dcom worm

http://illmob.org/files/dcomkiller.zip

DETAILS:

DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Coded in MASM by:
illwill
xillwillx@yahoo.com
www.illmob.org

8/13/2003
This program is a tool to remove the malicious worm
that spreads through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOMKill.exe
This will automatically kill the worms process
running in memory and remove the registry startup method
and then it will erase any files left by the worm.

2. All done :) ... next step
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it
updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature,
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Re: Windows Dcom Worm Killer [ In reply to ]
I suggest that you also disable DCOM completely with
the dcomcnfg utility. More info is available at the
address below. Be sure to remove all of the DCOM
"Default Protocols" including TCP to stop windows from
listening on port 135

http://www.uksecurityonline.com/husdg/windowsxp/close135.htm

--- w g <xillwillx@yahoo.com> wrote:> Directions:
> 2. All done :) ... next step
> W32.Blaster.Worm exploits the DCOM RPC
> vulnerability. This is described in Microsoft
> Security Bulletin MS03-026,
> and a patch is available there. You must
> download and install the patch.Also buy an antivirus
> and keep it
> updated weekly . Also I'd suggest getting a
> firewall to protect from any outside intruders.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Windows Dcom Worm Killer [ In reply to ]
joey2cool@yahoo.com wrote:

> I suggest that you also disable DCOM completely with
> the dcomcnfg utility. More info is available at the
> address below. Be sure to remove all of the DCOM
> "Default Protocols" including TCP to stop windows from
> listening on port 135

I agree in general, but also be aware that using dcomcnfg, or manually
tweaking the associated registry setting and restarting, to disable
DCOM does not work on Win2K for SP0 - SP2 inclusive and may not work on
some other OSes.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Windows Dcom Worm Killer [ In reply to ]
IW, Offering source?

r1an
-------------------------------

From w g <xillwillx@yahoo.com>:

>1.6 kb assembly program to kill and remove the dcom worm
>http://illmob.org/files/dcomkiller.zip
>
>DETAILS:
> DCOM worm killer (W32.Blaster.Worm)
> Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
> WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster[Panda]
> Coded in MASM by:
> illwill
> xillwillx@yahoo.com
> www.illmob.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Windows Dcom Worm Killer [ In reply to ]
source available upon emailing me. i need to tidy up the code a bit for readability

r1an@hush.ai wrote:
IW, Offering source?

r1an
-------------------------------

From w g :

>1.6 kb assembly program to kill and remove the dcom worm
>http://illmob.org/files/dcomkiller.zip
>
>DETAILS:
> DCOM worm killer (W32.Blaster.Worm)
> Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
> WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster[Panda]
> Coded in MASM by:
> illwill
> xillwillx@yahoo.com
> www.illmob.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Re: Windows Dcom Worm Killer and source code [ In reply to ]
source available here
http://illmob.org/sources/DCOMkill.html


1.6 kb assembly program to kill and remove the dcom worm

http://illmob.org/files/dcomkiller.zip

DETAILS:

DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Coded in MASM by:
illwill
xillwillx@yahoo.com
www.illmob.org

8/13/2003
This program is a tool to remove the malicious worm
th! at spreads through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.
-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOMKill.exe
This will automatically kill the worms process
running in memory and remove the registry startup method
and then it will erase any files left by the worm.

2. All done :) ... next step
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must download and install the patch.Also buy an antivirus and keep it
updated weekly . Also I'd suggest getting a firewall to protect from any outside intruders.
-------------------------------------------------------------------------
Tech Info:
Startup registry key-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
msblast.exe
Note:
if you are running Windows XP, it is recommended that you temporarily turn off System Restore. Windows XP uses this feature,
which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan
infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Source:
available upon request.



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software



---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.