Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Probable new MS DCOM RPC worm for Windows

From: "Exibar" <exibar () thelair com>
Date: Thu, 25 Sep 2003 17:07:31 -0400
I've seen the same thing but BEFORE MS03-039 came out.  I've had reports
from users stating that their network port had been turned off a number of
times and they're getting sick of it.  To quiet them down I'd add their
network port to an exclude list that wouldn't show up in the IDS (Snort) for
automatic Network port shutoff after the threshold is reached.

   My gut feeling is that Microsoft, in their haste to get MS03-026 out in
time for people to get their systems patched, used the 80/20 rule.  By that
I mean that they were only able to patch 80% of the conditions for
exploitation.  I think that's what Paul (and others) have seen.  Machines
patched for 026 but still able to be infected under certain, fairly rare
circumstances.  Microsoft took care of these remaining conditional holes
with MS03-039.

   but, my theory is just that, a theory.  and there very well could be a
variant of Welchi out there.  But, I would think that there would be more
infections or infection attempts that we are seeing now.  IMHO

  Exibar

----- Original Message ----- 
From: "Derek Vadala" <derek () cynicism com>
To: <pauls () utdallas edu>
Cc: <full-disclosure () lists netsys com>; <incidents () securityfocus com>
Sent: Thursday, September 25, 2003 3:44 PM
Subject: [Full-disclosure] RE: Probable new MS DCOM RPC worm for Windows



I'm thinking that there *has* to be a variant of Nachi/Welchia in the
wild.  We have machines that were patched for MS03-026 (verified by
scanning with multiple scanners) but not patched for MS03-039 (ditto)
and they have been infected by something that triggers my Nachi rule in
snort.  This should *not* be possible with the "original" Nachi/Welchia,
so my assumption is that either something new has been released or the
worm has mutated somehow.

Mind you, this is anecdotal and a very small incidence (only three
machines so far), but it still bears watching IMHO.  I've been surprised
to not see any discussion on the lists about a new variant.  Perhaps no
one is looking?

Paul Schmehl (pauls () utdallas edu)


We've seen the same thing over here. I've had a handful of machines
(perhaps 15-20 out of 2500) here that were reported to be patched against
MS03-026 yet became infected with Welchia. These machines were not patched
against MS03-039. One possibility is that the systems were already
infected with Welchia at the time they were patched against MS03-026.

I know of at least one or two cases here where the technical support
person assigned to fix a particular system didn't appropriately follow the
removal procedures and left a patched, but infected, system. I have to
assume this is happening without notice in other cases, since there
haven't been reports of a variant, and the number of systems in this
situation is rather low.

So I'm betting user error, though I find it hard to believe there isn't
another variant making the rounds.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: