Full Disclosure mailing list archives
RE: Probable new MS DCOM RPC worm for Windows
From: "Carey, Steve T GARRISON" <steven-carey () us army mil>
Date: Thu, 25 Sep 2003 15:14:29 -0500
We have seen a number of infections of Nachi/Welchia on patched systems. Was told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3 chance of being infected. Apparently the MS03-039 patch fixes the entire vulnerability and not just some of it. We re-enforced the rule for keeping the anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all). Steve Carey -----Original Message----- From: Derek Vadala [mailto:derek () cynicism com] Sent: Thursday, September 25, 2003 2:44 PM To: pauls () utdallas edu Cc: full-disclosure () lists netsys com; incidents () securityfocus com Subject: RE: Probable new MS DCOM RPC worm for Windows
I'm thinking that there *has* to be a variant of Nachi/Welchia in the wild. We have machines that were patched for MS03-026 (verified by scanning with multiple scanners) but not patched for MS03-039 (ditto) and they have been infected by something that triggers my Nachi rule in snort. This should *not* be possible with the "original" Nachi/Welchia, so my assumption is that either something new has been released or the worm has mutated somehow. Mind you, this is anecdotal and a very small incidence (only three machines so far), but it still bears watching IMHO. I've been surprised to not see any discussion on the lists about a new variant. Perhaps no one is looking? Paul Schmehl (pauls () utdallas edu)
We've seen the same thing over here. I've had a handful of machines (perhaps 15-20 out of 2500) here that were reported to be patched against MS03-026 yet became infected with Welchia. These machines were not patched against MS03-039. One possibility is that the systems were already infected with Welchia at the time they were patched against MS03-026. I know of at least one or two cases here where the technical support person assigned to fix a particular system didn't appropriately follow the removal procedures and left a patched, but infected, system. I have to assume this is happening without notice in other cases, since there haven't been reports of a variant, and the number of systems in this situation is rather low. So I'm betting user error, though I find it hard to believe there isn't another variant making the rounds. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: RE: Probable new MS DCOM RPC worm for Windows, (continued)
- Re: RE: Probable new MS DCOM RPC worm for Windows Exibar (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Robert Ahnemann (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- SV: RE: Probable new MS DCOM RPC worm for Windows Peter Kruse (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Brian (Sep 25)
- Port 6881 scans - why? Paul Johnson (Sep 25)
- Re: Port 6881 scans - why? Blue Boar (Sep 25)
- Port 6881 scans - why? Paul Johnson (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows lists (Sep 27)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Schmehl (Sep 27)
- Re: RE: Probable new MS DCOM RPC worm for Windows Karl DeBisschop (Sep 27)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Schmehl (Sep 27)
- Re: RE: Probable new MS DCOM RPC worm for Windows Karl DeBisschop (Sep 27)