Re: RE: Probable new MS DCOM RPC worm for Windows

["Gregory A. Gilliss" <ggilliss () netpublishing com>]

W32.Welchia is in the wild. I have a customer who found it on his
home machine this morning. He is using Norton, which kindly informed
him that it had no way to handle it...

G

On or about 2003.09.25 10:57:12 +0000, Cael Abal (lists () onryou com) said:

> > I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> > wild.  We have machines that were patched for MS03-026 (verified by
> > scanning with multiple scanners) but not patched for MS03-039 (ditto)
> > and they have been infected by something that triggers my Nachi rule in
> > snort.  This should *not* be possible with the "original" Nachi/Welchia,
> > so my assumption is that either something new has been released or the
> > worm has mutated somehow.
> >
> > Mind you, this is anecdotal and a very small incidence (only three
> > machines so far), but it still bears watching IMHO.  I've been surprised
> > to not see any discussion on the lists about a new variant.  Perhaps no
> > one is looking?
>
> Hi Paul,
>
> Did you use a third-party tool to verify the patches were actually 
> successfully installed on the infected machines, before detecting the 
> infection?
>
> Cael
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg () gilliss com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html