Full Disclosure mailing list archives
[Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1456 - 15 msgs
From: mike.keighley () adarelexicon com
Date: Tue, 17 Feb 2004 18:18:15 +0000
Robin, The patch for MS03-039 should stop a worm (e.g. Blaster) from spreading to other hosts on your lan via RPC/Dcom. It does nothing to stop infection of the local machine via (say) an IE object vulnerability. Given that the infected file is in the IE temp folder, this is highly likely. A quick google on "IE object vulnerability" will yield more than you wanted to know, but the short version is that many such bugs have been fixed in IE patches over the last few years, and many still have not. Yes we had one laptop infected like this, within about 5 mins of first connecting it to the net. The admin who did this without checking the anti-virus status first has been flogged. Some would say you need anti-virus, anti-spyware, personal-firewall, IE patches, and scripting turned off. Others would say you need a different browser <g> Mike. -----Original Message----- From: Ferris, Robin [mailto:R.Ferris () napier ac uk] Sent: 17 February 2004 14:59 To: full-disclosure () lists netsys com Subject: [Full-disclosure] exploit-dcomrpc.gen Hi folks a couple of quick questions, has any one else seen this infection recently exploit-dcomrpc.gen, you would proably be using mcafee to see it detected as this. I what is odd is that these machines that are infected are patched with ms03-007/026/039 was wondering if any one had seen this at all. infection goes to c:\windows\system32\drivers\svchost.exe infected file is in IE temp folder labelled as WksPatch[1].exe Any info would be appreciated. Thanks Robin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1456 - 15 msgs mike . keighley (Feb 17)