This is C-4
Sup yall, has your computer been trippin out on you lately and restarting itself on its' own, a lil thing will come up on the screen and say some shit about RPC has failed unexpectedly or some shit and it will do a 60 second count down and then shutdown and comeback on on it's own, and keep doin that shit over and over.....well, it's a virus, aint that a bitch, I hate hackers, they some gay fucks, here's more info on it
UPDATE: ISC Detects RPC/DCOM Worm
The Internet Storm Center (ISC) reported that it has captured an RPC/DCOM worm that is capable of spreading to Windows 2000 and Windows XP systems. According to ISC, the worm uses RPC/DCOM to propagate itself, sending a self-extracting compressed file that is 6176 bytes in size, and about 11KB when uncompressed. The captured worm came in the form of a file called mblast.exe, which has an MD5 checksum of 5ae700c1dffb00cef492844a4db6cd69.
Once the worm executes on an infected system, it spawns a backdoor on port 4444 and then tries to download more worm files from a range of TFTP servers.
The worm also adds a registry key that causes it to run with each reboot of a system. The registry key is in the SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive (presumably under HKEY_LOCAL_MACHINE) under the value name "windows auto update".
The worm tries to propagate itself to other systems by scanning IP addresses sequentially for systems with an open port 135. ISC said it thinks the starting IP address used for scans might be randomly selected. Symantec reports that an algorithm is used to determine which addresses are scanned, and due to the algorithm the local subnet will be scanned first and then the worm will begin scanning address space outside the local subnet.
Symantec also reports that the worm will launch a distrubuted denial of service against Microsoft's Windows Update Web site on any date (as long as it is between the 15th and 31st of any given month) using SYN flood attacks from infected systems.
To protect your systems be sure to block ports 135 through 139 (UDP and TCP), 445 (TCP), and 593 (TCP) wherever possible -- oh, and load the patch provided by Microsoft! According to ISC, the existing RPC/DCOM signature in freeware Snort intrusion detection system will detect this worm as it enters a monitored network. Symantec provided another Snort signature, which is listed below (see their analysis report here):
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )
The number of target systems scanned for an open port 135, which the worm uses to spread, have been considerably higher since Microsoft released is security bulletin on July 16. Trends reveal that since that time the number of hosts performing scans has increased dramatically. Where before July 16 there were roughly 900 to 1100 system scanning for port 135, as of August 11 there are over 7830 systems performing scans, many of which are probably systems infected with the new worm.
To monitor the situation be sure to visit Incidents.org or Dshield.org regularly, where you can learn more about the worm, as well as learn about general trends and patterns of many different intrusion attempts.
On Monday, a few minutes after news of the new worm spread to the Bugtraq mailing list, an anonymous user with an email address from a Hotmail account posted a message to the list which contains link to another set of exploit code for the RPC/DCOM problem. The zip file contains a copy of the code, a compiled executable, as well as a macro file that can used once the exploit inserts a backdoor command shell into an infected the system. The code, called KaHT II, is capable of spreading itself to other systems rapidly.
You can also read more about the RPC/DCOM vulnerability in other articles on our Web site, and find links to Snort and its accessories list below:
Sup yall, has your computer been trippin out on you lately and restarting itself on its' own, a lil thing will come up on the screen and say some shit about RPC has failed unexpectedly or some shit and it will do a 60 second count down and then shutdown and comeback on on it's own, and keep doin that shit over and over.....well, it's a virus, aint that a bitch, I hate hackers, they some gay fucks, here's more info on it
UPDATE: ISC Detects RPC/DCOM Worm
The Internet Storm Center (ISC) reported that it has captured an RPC/DCOM worm that is capable of spreading to Windows 2000 and Windows XP systems. According to ISC, the worm uses RPC/DCOM to propagate itself, sending a self-extracting compressed file that is 6176 bytes in size, and about 11KB when uncompressed. The captured worm came in the form of a file called mblast.exe, which has an MD5 checksum of 5ae700c1dffb00cef492844a4db6cd69.
Once the worm executes on an infected system, it spawns a backdoor on port 4444 and then tries to download more worm files from a range of TFTP servers.
The worm also adds a registry key that causes it to run with each reboot of a system. The registry key is in the SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive (presumably under HKEY_LOCAL_MACHINE) under the value name "windows auto update".
The worm tries to propagate itself to other systems by scanning IP addresses sequentially for systems with an open port 135. ISC said it thinks the starting IP address used for scans might be randomly selected. Symantec reports that an algorithm is used to determine which addresses are scanned, and due to the algorithm the local subnet will be scanned first and then the worm will begin scanning address space outside the local subnet.
Symantec also reports that the worm will launch a distrubuted denial of service against Microsoft's Windows Update Web site on any date (as long as it is between the 15th and 31st of any given month) using SYN flood attacks from infected systems.
To protect your systems be sure to block ports 135 through 139 (UDP and TCP), 445 (TCP), and 593 (TCP) wherever possible -- oh, and load the patch provided by Microsoft! According to ISC, the existing RPC/DCOM signature in freeware Snort intrusion detection system will detect this worm as it enters a monitored network. Symantec provided another Snort signature, which is listed below (see their analysis report here):
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )
The number of target systems scanned for an open port 135, which the worm uses to spread, have been considerably higher since Microsoft released is security bulletin on July 16. Trends reveal that since that time the number of hosts performing scans has increased dramatically. Where before July 16 there were roughly 900 to 1100 system scanning for port 135, as of August 11 there are over 7830 systems performing scans, many of which are probably systems infected with the new worm.
To monitor the situation be sure to visit Incidents.org or Dshield.org regularly, where you can learn more about the worm, as well as learn about general trends and patterns of many different intrusion attempts.
On Monday, a few minutes after news of the new worm spread to the Bugtraq mailing list, an anonymous user with an email address from a Hotmail account posted a message to the list which contains link to another set of exploit code for the RPC/DCOM problem. The zip file contains a copy of the code, a compiled executable, as well as a macro file that can used once the exploit inserts a backdoor command shell into an infected the system. The code, called KaHT II, is capable of spreading itself to other systems rapidly.
You can also read more about the RPC/DCOM vulnerability in other articles on our Web site, and find links to Snort and its accessories list below:
