Security Incidents mailing list archives
RE: Probable new MS DCOM RPC worm for Windows
From: "Carey, Steve T GARRISON" <steven-carey () us army mil>
Date: Fri, 26 Sep 2003 07:04:59 -0500
We ran the Retina DCOM scanner and it showed they were patched. -----Original Message----- From: Tina Bird [mailto:tbird () precision-guesswork com] Sent: Thursday, September 25, 2003 8:51 PM To: Carey, Steve T GARRISON Cc: derek () cynicism com; pauls () utdallas edu; incidents () securityfocus com Subject: RE: Probable new MS DCOM RPC worm for Windows On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:
We have seen a number of infections of Nachi/Welchia on patched systems. Was told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3 chance of being infected. Apparently the MS03-039 patch fixes the entire vulnerability and not just some of it. We re-enforced the rule for keeping
the
anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all).
so, given that welchia installs the patch for 03-026, and given that windows will happily re-install 03-026 even if it's already there, how did you figure out that some of those machines were infected >after< they had 03-026 installed? it's got me perplexed. i'm sure that some of my users thought they installed it and hadn't for some reason or other, and then got infected...and i've gotten reports of "i patched it and it still got hit"...and i can't figure out how to tell the difference. well, you could look at the event log entries and see if there was more than one for KB823980, but i've seen reasonably reliable cases where the registry setting existed but the patch wasn't actually installed. whereas checking the file manifests is usually the most reliable way to tell whether or not the patch was installed, but won't really tell you if the patch was installed more than once. thanks -- tina bird computer security @stanford, with a huge number of welchia-infected systems -- or at least, there were... -- At what point does it become easier to maintain a human relationship than a Windows box? Robert Cowles http://www.precision-guesswork.com Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com tbird's Security Alerts http://securecomputing.stanford.edu/alert.html --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Brian (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows James C. Slora, Jr. (Sep 26)
- RE: Probable new MS DCOM RPC worm for Windows Carey, Steve T GARRISON (Sep 28)