Security Incidents mailing list archives
RE: Probable new MS DCOM RPC worm for Windows (fwd)
From: Tina Bird <tbird () precision-guesswork com>
Date: Fri, 26 Sep 2003 14:05:55 -0700 (PDT)
On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:
We have seen a number of infections of Nachi/Welchia on patched systems. Was told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3 chance of being infected. Apparently the MS03-039 patch fixes the entire vulnerability and not just some of it. We re-enforced the rule for keeping the anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all).
so, given that welchia installs the patch for 03-026, and given that windows will happily re-install 03-026 even if it's already there, how did you figure out that some of those machines were infected >after< they had 03-026 installed? it's got me perplexed. i'm sure that some of my users thought they installed it and hadn't for some reason or other, and then got infected...and i've gotten reports of "i patched it and it still got hit"...and i can't figure out how to tell the difference. well, you could look at the event log entries and see if there was more than one for KB823980, but i've seen reasonably reliable cases where the registry setting existed but the patch wasn't actually installed. whereas checking the file manifests is usually the most reliable way to tell whether or not the patch was installed, but won't really tell you if the patch was installed more than once. thanks -- tina bird computer security @stanford, with a huge number of welchia-infected systems -- or at least, there were... -- At what point does it become easier to maintain a human relationship than a Windows box? Robert Cowles http://www.precision-guesswork.com Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com tbird's Security Alerts http://securecomputing.stanford.edu/alert.html --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Probable new MS DCOM RPC worm for Windows (fwd) Tina Bird (Sep 26)