General Discussion | Weird Worm

Author	Message	Time
Thing	W32.Welchia.Worm Here are some of the highlights: 1. Exploits the DCOM RPC vulnerability (described in Microsoft Security 2. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch. 3. Once the update has been download and executed, the worm will restart the computer so that the patch is installed. 4. The worm will also attempt to remove W32.Blaster.Worm. 5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.	August 19, 2003, 6:08 AM
Spht	Sounds like one fine-tasting worm.	August 19, 2003, 6:28 AM
Arta	It's not an uncommon idea :) A good one if you ask me, although still illegal, AFAIK.	August 19, 2003, 12:00 PM
Yoni	[quote author=Arta[vL] link=board=2;threadid=2390;start=0#msg18702 date=1061294434] It's not an uncommon idea :) A good one if you ask me, although still illegal, AFAIK. [/quote] As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.	August 19, 2003, 12:16 PM
Skywing	[quote author=Yoni link=board=2;threadid=2390;start=0#msg18705 date=1061295379] [quote author=Arta[vL] link=board=2;threadid=2390;start=0#msg18702 date=1061294434] It's not an uncommon idea :) A good one if you ask me, although still illegal, AFAIK. [/quote] As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it. [/quote] It'll still keep wasting lots of bandwidth constantly scanning for open machines.	August 19, 2003, 1:22 PM
EvilCheese	The MSBlast worm itself is something of a let-down. I was unfortunate enough to be infected by it approximately 24 hours before the public knew about it. After manually disabling it (which was a lot easier than it should have been for a well-written worm) I decompressed and reversed it. Essentially it's a DDOS worm. The exe looks like it was written by someone who got a hold of the original exploit code and then bolted on a few features... an algorithm for random generation and scanning of IPs... and a simple addition which uses ftp to download itself.. oh... and dont forget the code which will packet-flood the windows update site :P I would have expected to see some polymorphism, perhaps some backup measures to prevent deletion, or even some anti-anti-virus measures, but nope. The worm was written by a newbie who knows a little about the FTP protocol and downloaded the (freely available) DCOM RPC exploit code from somwhere, or so it seems. Could have been 40 times nastier than it is. ;/	August 19, 2003, 7:55 PM
EvilCheese	Ewww, now I'm reviewing worms. :'( Need to stop thinking that way.	August 19, 2003, 7:56 PM
j0k3r	[quote]5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself. [/quote] Is this a permanent removal? Or does it leave traces of whatever it has done? Cause that seems like a pretty bad thing to do if your making a monster worm... Does that also mean that if you have the worm all you have to do is change the year to 2004?	August 19, 2003, 8:04 PM
iago	MSBlaster: http://www.astalavista.com/code/assembly/A-decompilation-of-the-Lovesan-MSBLAST-Worm.txt	August 21, 2003, 11:43 PM
Raven	Apparently, MSBlaster doesn't even spoof or cloak itself from taskmanager, so one could easily tell if they're infecting by simply hitting CTRL+ALT+DEL, and it'll be right there. I patched myself anyway since I don't like having to deal with this stuff, but it seems that as destructive as the worm is, it's not very difficult to disable. ;)	August 24, 2003, 9:08 PM
Hitmen	That's why it was considered dangerous at all, even if you end the process the computer still ends up shutting itself down within a few minutes. If you could just end it and be done it would be too easy to get rid of for it to be worthwhile.	August 25, 2003, 12:26 AM
Raven	That's not what I meant HT. I was talking about how easy it was to determine if a system was infected, and then take appropriate action to remove it. :)	August 25, 2003, 2:11 AM
MesiaH	i knew about that volnerability about eh... a little while after windows 2000 came out. All you have to do is go into your service list, change your device failure settings to take no action for the rpc, and that will keep your computer from restarting in that dreadful 60 seconds. Plus norton is god so.. msblast is probably one of the worste attempt at a worm ive ever got.. I don't beleive in windows update, unless theres something good i want :P	August 27, 2003, 5:47 AM

Author

Message

Time

Thing

W32.Welchia.Worm

Here are some of the highlights:

1. Exploits the DCOM RPC vulnerability (described in Microsoft Security
2. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.
3. Once the update has been download and executed, the worm will restart the computer so that the patch is installed.
4. The worm will also attempt to remove W32.Blaster.Worm.
5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.

August 19, 2003, 6:08 AM

Spht

Sounds like one fine-tasting worm.

August 19, 2003, 6:28 AM

Arta

It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.

August 19, 2003, 12:00 PM

Yoni

[quote author=Arta[vL] link=board=2;threadid=2390;start=0#msg18702 date=1061294434]
It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.
[/quote]

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.

August 19, 2003, 12:16 PM

Skywing

[quote author=Yoni link=board=2;threadid=2390;start=0#msg18705 date=1061295379]
[quote author=Arta[vL] link=board=2;threadid=2390;start=0#msg18702 date=1061294434]
It's not an uncommon idea :)

A good one if you ask me, although still illegal, AFAIK.
[/quote]

As long as the coder(s) and distributor(s) remain anonymous, nobody is hurt. Unfortunately, they cannot collect their fame. But they'll get over it.
[/quote]
It'll still keep wasting lots of bandwidth constantly scanning for open machines.

August 19, 2003, 1:22 PM

EvilCheese

The MSBlast worm itself is something of a let-down.

I was unfortunate enough to be infected by it approximately 24 hours before the public knew about it.

After manually disabling it (which was a lot easier than it should have been for a well-written worm) I decompressed and reversed it.

Essentially it's a DDOS worm. The exe looks like it was written by someone who got a hold of the original exploit code and then bolted on a few features... an algorithm for random generation and scanning of IPs... and a simple addition which uses ftp to download itself.. oh... and dont forget the code which will packet-flood the windows update site :P

I would have expected to see some polymorphism, perhaps some backup measures to prevent deletion, or even some anti-anti-virus measures, but nope.

The worm was written by a newbie who knows a little about the FTP protocol and downloaded the (freely available) DCOM RPC exploit code from somwhere, or so it seems. Could have been 40 times nastier than it is. ;/

August 19, 2003, 7:55 PM

EvilCheese

Ewww, now I'm reviewing worms. :'(

Need to stop thinking that way.

August 19, 2003, 7:56 PM

j0k3r

[quote]5. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself. [/quote]
Is this a permanent removal? Or does it leave traces of whatever it has done? Cause that seems like a pretty bad thing to do if your making a monster worm... Does that also mean that if you have the worm all you have to do is change the year to 2004?

August 19, 2003, 8:04 PM

iago

MSBlaster:
http://www.astalavista.com/code/assembly/A-decompilation-of-the-Lovesan-MSBLAST-Worm.txt

August 21, 2003, 11:43 PM

Raven

Apparently, MSBlaster doesn't even spoof or cloak itself from taskmanager, so one could easily tell if they're infecting by simply hitting CTRL+ALT+DEL, and it'll be right there. I patched myself anyway since I don't like having to deal with this stuff, but it seems that as destructive as the worm is, it's not very difficult to disable. ;)

August 24, 2003, 9:08 PM

Hitmen

That's why it was considered dangerous at all, even if you end the process the computer still ends up shutting itself down within a few minutes. If you could just end it and be done it would be too easy to get rid of for it to be worthwhile.

August 25, 2003, 12:26 AM

Raven

That's not what I meant HT. I was talking about how easy it was to determine if a system was infected, and then take appropriate action to remove it. :)

August 25, 2003, 2:11 AM

MesiaH

i knew about that volnerability about eh... a little while after windows 2000 came out.

All you have to do is go into your service list, change your device failure settings to take no action for the rpc, and that will keep your computer from restarting in that dreadful 60 seconds.

Plus norton is god so.. msblast is probably one of the worste attempt at a worm ive ever got..

I don't beleive in windows update, unless theres something good i want :P

August 27, 2003, 5:47 AM

Valhalla Legends Forums Archive | General Discussion | Weird Worm