New Microsoft virus in the wild with no patch to fix

[peterjhill]

It looks like Microsoft needs to go back and look at their code again. There is a new virus in the wild that is exploiting port 135. Security people have yet another reason to be upset at the Redmond giant.

As seen on full disclosure:
From: "3APA3A" <3APA3A@SECURITY.NNOV.RU>
To: <bugtraq@securityfocus.com>; <full-disclosure@lists.netsys.com>;
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Cc: <Secure@microsoft.com>
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability


Dear bugtraq@securityfocus.com,

There are few bad news on RPC DCOM vulnerability:

1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
again actual.
2. It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
exists, but code execution is probably possible. Technical details are
sent to Microsoft, waiting for confirmation.

Dear ISPs. Please instruct you customers to use personal fireWALL in
Windows XP.

 

[baby duck monge]

oh good. another one. any word on what this actually does, or what we can expect as far as spreading goes?

 

[Rower_CPU]

Great...just when my campus was finally starting to clean up all the machines infected by Nachi.

Hopefully the antivirus companies can nab this one in the meantime.

 

[applemacdude]

My whole school just got a virus, all of them...they shut down once you turn them on ...bs...

at my ms we never got a virus with the little bondi imacs we had
go to hs and use those compaqs and you get a whole ******** of viruses...they dont even have have a good firewall which they could use to protect themselves from all the student hackers and viruses,,,,

 

[Java]

get out the popcorn

Originally posted by applemacdude
My whole school just got a virus, all of them...they shut down once you turn them on ...bs...

at my ms we never got a virus with the little bondi imacs we had
go to hs and use those compaqs and you get a whole ******** of viruses...they dont even have have a good firewall which they could use to protect themselves from all the student hackers and viruses,,,,

Starts to play, "Another one bites the dust" by Queen. Ohh, that could be the MS theme song for their next OS. (Remember when they used, "Start Me Up" by the Stones?)

 

[yamabushi]

I don't understand why Microsoft didn't enable the firewall in Windows XP by default. Each user has to actually turn the thing on. I have noticed that it sometimes manages to spontaneously turn itself off. Of course most of the millions of users of older versions of Windows don't have a software firewall at all. Scary thing is that the same thing goes for most users of older Macs. The default settings in OSX tend to be much more secure.

 

[GeeYouEye]

Originally posted by yamabushi
I don't understand why Microsoft didn't enable the firewall in Windows XP by default. Each user has to actually turn the thing on. I have noticed that it sometimes manages to spontaneously turn itself off. Of course most of the millions of users of older versions of Windows don't have a software firewall at all. Scary thing is that the same thing goes for most users of older Macs. The default settings in OSX tend to be much more secure.

OTOH, the classic Mac OS was unhackable; someone offered $10,000 to anyone who could hack a Mac OS based server on the web, and no one ever succeeded.

BTW, I believe that this particular bug uses a very similar exploit to Slammer. Any machines with port 135 closed should be good against this.

 

[peterjhill]

Originally posted by GeeYouEye

BTW, I believe that this particular bug uses a very similar exploit to Slammer. Any machines with port 135 closed should be good against this. [/B]

Slammer targetted SQL, port 1433 and port 1434. It is very difficult to close port 135, as there are a number of windows processes that listen on that port. Host based firewalls are probably the best bet.

Blaster and Welchia were to big port 135 viruii this summer.