Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Probable new MS DCOM RPC worm for Windows

From: "James C. Slora, Jr." <james.slora () phra com>
Date: Fri, 26 Sep 2003 17:57:36 -0400
Carey, Steve T GARRISON wrote Friday, September 26, 2003 8:05 AM


We ran the Retina DCOM scanner and it showed they were patched.


Could any of the systems have been infected through Nachi/Welchia's WebDAV vector instead of through RPC?
 
(Tina Bird wrote Thursday, September 25, 2003 8:51 PM)

On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:


We have seen a number of infections of Nachi/Welchia on patched systems.  Was
told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3
chance of being infected.  Apparently the MS03-039 patch fixes the entire
vulnerability and not just some of it.  We re-enforced the rule for keeping
the anti-virus current, which stopped Nachi/Welchia worm (in 
most cases, not all).


so, given that welchia installs the patch for 03-026, and given that
windows will happily re-install 03-026 even if it's already there, how did
you figure out that some of those machines were infected >after< they had
03-026 installed?


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: