Re: MSblast worm

[Nick FitzGerald <nick () virus-l demon co uk>]

Simon Glassman <simon () bsdbox co uk> wrote:

[restructured to proper quoting order]

> On Tuesday 12 August 2003 11:53 am, Jasper Blackwell wrote:
> > Does anyone know if this MSblast worm affects Win NT machines, or is it
> > just infecting 2000 and XP.
>
>       This is affecting the following machines.
>
> Windows NT 4.0 server
> Windows NT 4.0 Terminal Server Edition
> Windows 2000
> Windows XP 32 Bit Edition
> Windows XP 64 Bit Edition
> Windows Server 2003 32 Bit Edition
> Windows Server 2003 64 Bit Edition
>
> More info have a look at 
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

The worm does not infect anything but W2K and XP machines (and even 
then, not "flawlessly").

NT 4.0 WS (not mentioned in the advisory as it had reached "end of 
life"), NT 4.0 Server & TS, W2K, XP and 2K3 all contain the DCOM 
vulnerability and (apart from NT 4.0 WS) are thus mentioned in the
MS03-026 security bulletin.  That does not mean they are affected or 
infected by the worm, or by any specific exploit (the nature of the 
overflow at the heart of the vulnerability is such that exploiting it 
requires knowledge of a memory location holding specific opcodes and 
these tend to rarely be available in a fixed location regardless of OS, 
SP, hotfix, etc level).


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html