TUCoPS :: Malware :: bt871.txt

New Windows DCOM Worm - msblast.exe (fwd)

David Mirza Ahmad

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
The battle for the past is for the future.
We must be the winners of the memory war.

---------- Forwarded message ----------
Return-Path: <david.vincent@mightyoaks.com>
Delivered-To: da@securityfocus.com
Received: (qmail 4314 invoked from network); 11 Aug 2003 20:47:49 -0000
Received: from unknown (HELO mail.mightyoaks.com) (
  by mail.securityfocus.com with SMTP; 11 Aug 2003 20:47:49 -0000
Received: from stork.mightyoaks ([] unverified) by
    mail.mightyoaks.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Mon, 11 Aug 2003 13:55:33 -0700
Received: by stork.mightyoaks.local with Internet Mail Service (5.5.2656.59)
	id <P9FJXTGS>; Mon, 11 Aug 2003 13:55:32 -0700
Message-ID: <6130FAF67D15D411BF7100E01899071F5F99F0@stork.mightyoaks.local>
From: David Vincent <david.vincent@mightyoaks.com>
To: 'Dave Ahmad' <da@securityfocus.com>
Subject: New Windows DCOM Worm -  msblast.exe
Date: Mon, 11 Aug 2003 13:55:31 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain;
Return-Path: david.vincent@mightyoaks.com
X-OriginalArrivalTime: 11 Aug 2003 20:55:33.0058 (UTC)

dave, can you send this on to the list?  my cross-posting ways have left me
wondering which list you're wanting more details for.

message follows...

i've just got a copy of this Windows DCOM Worm from a nice fellow on another

it matches the MD5 at http://isc.sans.org/diary.html?date=2003-08-11 of
5ae700c1dffb00cef492844a4db6cd69.  that's the EXE's MD5, not the unpacked
EXE version or the MD5 of the ZIP i received it in.  i have not launched it
yet, but i did note it made its way past three layers of virus protection
without being detected.

yes, we do use the same AV for all parts of our network, but that's 'cause
we're a small company with limited resources.  so don't bitch at me about
it.  :)

we've got NAV Corporate with scan engine and
definitions of 06/08/2003 rev. 4 (the most current at this time) and it is
not detected.

David Vincent  CNA/MCSE
Network Administrator


209-3347 Oak Street
Victoria, B.C. Canada V8X 1R2
Phone: 250.386.9398   Fax:  250.386.9399
Pager: 250.380.4575   Cell: 250.884.3000

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH