Worm Exploits RPC Flaw in Windows | eWeek

Worm Exploits RPC Flaw in Windows

Écrit par
Dennis Fisher
Dennis Fisher
Aug 11, 2003
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A worm that exploits the recently discovered RPC DCOM vulnerability in Windows began spreading rapidly on the Internet Monday afternoon. The worm is targeting TCP port 135 and is causing some large spikes in traffic, but has yet to cause any real latency or network outages, experts said.

The name of the binary containing the worm is “msblast.exe,” and it is packed with the UPX compression utility. It is self-extracting and is 11KB once it is unpacked, according to information posted on the Dshield.org site run by the SANS Institute. Once the worm locates a vulnerable machine, it spawns a shell on TCP port 4444 and uses that to download the worm itself through TFTP.

SANS preliminary analysis of the worm, including a list of some of the TFTP servers the worm downloads from, is available here.

Once the worm is resident on a machine, it immediately begins scanning the Internet for other vulnerable targets. One post on a security mailing list said the worm begins scanning at IP address 192.168.0.1. It also dumps a key in the registry to start itself after a reboot.

A text string in the worms code reads: “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!”

Experts who have seen copies of the worm say it works on some versions Windows 2000 and XP and that they are trying to confirm its effectiveness on other versions.

“Weve gotten a bunch of different confirmations of this worm, and weve talked to network operators who say theyve seen customer machines going up and down,” said Dan Ingevaldson, engineering manager for the X-Force research team at Internet Security Systems Inc. in Atlanta. “This looks like the first attempt at automatically exploiting the DCOM problem.”

Ingevaldson added that ISS has seen a 10-fold increase this afternoon in the number of scans of port 135 on the machines the company monitors for its managed security clients.

ISS officials also said that the new worm is programmed to launch a denial-of-service attack against the Windows Update Web site on the 16th of each month. Windows Update is an automated service through which Microsoft customers can automatically retrueve security patches and other software updates. A successful DoS attack against the site would not prevent users from accessing patches, however, as those files can still be downloaded manually from other Microsoft sites. Each instance of the MS Blast worm, as its being called, attacks either Windows 2000 or Windows XP machines, not both. Twenty percent of the instances will attack Windows 2000 and 80 percent will look for Windows XP boxes, ISS said.

The flaw that the worm exploits is found in a portion of the Remote Procedure Call (RPC) protocol that handles message exchanges over TCP/IP. The vulnerability, which arises because of incorrect handling of error messages, affects a particular Distributed Component Object Model interface with RPC and is found in every current version of Windows.

The best way to avoid the worm is to patch Windows. Microsoft Corp., of Redmond, Wash., issued in July a patch for the vulnerability, which exists in NT 4.0, 2000, XP and Windows Server 2003.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.