Security Incidents mailing list archives

RE: Probable new MS DCOM RPC worm for Windows

From: "Carey, Steve T GARRISON" <steven-carey () us army mil>
Date: Fri, 26 Sep 2003 07:04:59 -0500

We ran the Retina DCOM scanner and it showed they were patched.

-----Original Message-----
From: Tina Bird [mailto:tbird () precision-guesswork com]
Sent: Thursday, September 25, 2003 8:51 PM
To: Carey, Steve T GARRISON
Cc: derek () cynicism com; pauls () utdallas edu; incidents () securityfocus com
Subject: RE: Probable new MS DCOM RPC worm for Windows



On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:

We have seen a number of infections of Nachi/Welchia on patched systems.  Was
told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3
chance of being infected.  Apparently the MS03-039 patch fixes the entire
vulnerability and not just some of it.  We re-enforced the rule for keeping

the

anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all).


so, given that welchia installs the patch for 03-026, and given that
windows will happily re-install 03-026 even if it's already there, how did
you figure out that some of those machines were infected >after< they had
03-026 installed?

it's got me perplexed.  i'm sure that some of my users thought they
installed it and hadn't for some reason or other, and then got
infected...and i've gotten reports of "i patched it and it still got
hit"...and i can't figure out how to tell the difference.

well, you could look at the event log entries and see if
there was more than one for KB823980, but i've seen reasonably reliable
cases where the registry setting existed but the patch wasn't actually
installed.

whereas checking the file manifests is usually the most reliable way to
tell whether or not the patch was installed, but won't really tell you if
the patch was installed more than once.

thanks -- tina bird

computer security @stanford, with a huge number of welchia-infected
systems -- or at least, there were...

--
At what point does it become easier to maintain a human relationship
than a Windows box?

                                       Robert Cowles

http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
  - Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
    - Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
  - RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Brian (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows James C. Slora, Jr. (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 28)