Ian
Stole All the Forum Stars
Good things come to those who wait ...
Posts: 2913
|
 |
Loads, including Blaster.G...
« on: Sep 23rd, 2003, 9:14pm » |
 Quote  Modify
|
Well, we wondered how long it would be for the G variant - here's some stuff about six worms: Gibe.C, Opaserv.X, variants 'A' and 'B' of Backterra, Reksa.A and Blaster.G.
The first worm, Gibe.C, spreads via e-mail in a message that perfectly imitates the style of Microsoft web pages, in order to trick the user intothinking that the attached file is a security patch. It also spreads through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC. This worm exploits the iFrame and Incorrect MIME Header vulnerabilities, and it ends processes belonging to several antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to attack from other malicious code. In addition, Gibe.C disables the Windows Registry Editor and displays a message on screen to obtain users' confidential information (as mail account passwords).
The second worm is Opaserv.X. This worm spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives by exploiting the Share Level Password vulnerability. Opaserv.X creates several files in the Windows directory and it also creates an entry in the Windows registry of the affected computer.
Similarly, Backterra.A and Backterra.B spread through the peer-to-peer (P2P) file sharing program eMule. In order to do so, these worms try to trick the user into thinking that it is a password generator for computer applications and games. After Backterra.A and Backterra.B are executed, and if eMule is not installed, they will display several messages on screen. The main difference between variant 'A' and variant 'B' lies in the size of the file that carries out the infection. The file of variant 'A' is 81,920 bytes and the file of variant 'B' is 69,632 bytes.
The fifth worm is Reksa.A, which spreads via e-mail in a message with the subject 'Support Message' and the attachment 'MSNUPDATE.EXE'. Once it is run, Reksa.A displays a message on screen and it creates the file MSN.EXE in the Windows directory. This file contains the code of the worm.
Now for the finale in the worms section - Blaster.G, which affects only Windows 2003/XP/2000/NT computers. It exploits the Buffer Overrun in RPC Interface vulnerability. Blaster.G spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster.G incorporates its own TFTP (Trivial File Transfer Protocol) server. Two clear symptoms that indicate that Blaster.G has reached the computer are that the network traffic increases -on the TCP 135 and 4444, and UDP 69 ports-, and that it blocks and restarts the affected computer.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register