General discussion

Locked

Need a RPC/msblast 'white virus

By Andrew Cooke ·
Hi,

Has anyone seen a 'white' virus in yet ?

I am the unlucky person to inherit a network with a mix of computers from different orgs and OS/SPs etc.

I have been using psexec for those machine I have admin rights on. However a larger portion of the scanned subnet is not.

I am looking for a program that exploits the RPC hole to install a patch. Has anyone seen this yet ?

I recall a CodeRed version that was around and there was lots of people upset because people were exploting systems to fix them..

Please let me know if you can help I only want to use this tool on the network, I am sure others are in the same situation !!

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Need a RPC/msblast 'white ...

Umm, this is a loaded question.
So far, no, there is not a version out there that performs the exploit to then patch the exploit. Nor is there a tool (that I have heard of) that performs the exploit to then fix it.
I do know of what you refer to. There was a SQL Server worm that searched out for SQL Servers with blank SA passwords; it then set the password to a random 4-digit number. Sure, your SA account then had a password, but the worm did not tell you what it was! So, it was a mixed blessing.
I am NOT a fan of a worm/virus that fixed what it was exploiting. To let something loose like that in a network is, IMO, irresponsible.

So, here is my though. If you cannot get physical access to the machines (or remote access using PSEXEC or some other remote control tool), then why not download one of the RPC exploit tools? You could get a command line based tool that performs the RPC exploit, then you could command the target machine to download the patch file and run it.
So, you would be using an exploit tool to then perform healthy system maintenance, I guess.

Now, I do have some links to a couple different versions of tools like this. But I am not comfortable posting them in this forum (in case someone with evil intensions reads it and gets the tool for evil).
Also, I really don't know if your own intentions are noble or not!

So, if you want the links to the exploit tools, send me a message via the Peer Diretory.

Collapse -

by Joseph Moore In reply to

I just sent you an e-mail on the manual way of doing this.

But now I just checked Symantec and I see that there is a new version that does exactly what you want! It exploits the RPC vulnerability, then patches it!

Here is a link for info:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Collapse -

by dmiles In reply to Need a RPC/msblast 'white ...

Symantec Security Response has developed a removal tool to clean infections of W32.Welchia.Worm.

What the tool does

The W32.Welchia.Worm Removal Tool does the following:


Terminates the W32.Welchia.Worm viral processes.
Deletes the W32.Welchia.Worm files.
Deletes the registry values that W32.Welchia.Worm added.
Deletes the services created by W32.Welchia.Worm.

Available command-line switches for this tool


Switch

Description

/HELP, /H, /?
Displays the help message.

/NOFIXREG
Disables the registry repair. (We do not recommend using this switch).

/SILENT, /S
Enables the silent mode.

/LOG=<path name>
Creates a log file where <path name> is the location in which to store the tool's output. By default, this switch creates the log file, FixWelch.log, in the same folder from which the removal tool was executed.

/MAPPED
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)

/START
Forces the tool to immediately start scanning.

/EXCLUDE=<path>
Excludes the specified <path> from scanning. (We do not recommend using this switch.)

Note: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can to lead to missed detections.
If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.

Therefore, you should run the tool on every computer.

Obtaining and running the tool

Note: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.

Download the FixWelch.exe file from: http://www.symantec.com/avcenter/FixWelch.exe.
Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).

Collapse -

by Andrew Cooke In reply to
Collapse -

by Andrew Cooke In reply to Need a RPC/msblast 'white ...

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums