Re: reports of DCOM worm on the loose...Report #4

• Previous message: Schmidt, Tobias E: "GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm"
• In reply to: Russ: "Re: reports of DCOM worm on the loose...Report #4"
• Next in thread: Brian S. Bergin: "Re: reports of DCOM worm on the loose...Report #4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 12 Aug 2003 08:36:45 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

"eEye's DCOM Checker incorrectly reports NT 4 machines as being vulnerable,
despite the patch being positively verified"
That was fixed in version 1.0.3 of the free scanner.

Also some of the comments/points about the worm are incorrect, as they are
on some other research sites. You can read our full analysis on the eEye
website at http://www.eeye.com/html/Research/Advisories/AL20030811.html

Also, as mentioned in our analysis, if your running Windows 2000 SP0, SP1,
SP2, and disable DCOM (as a way to protect yourself until you install the
patch) then DCOM is not "really" disabled and you are still vulnerable. We
have seen this with a few customers of ours and also testing in our lab.
Anyone else have the same experience? So the point being, in some cases,
disabling DCOM is not a valid method of protection.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
| Sent: Tuesday, August 12, 2003 6:30 AM
| To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
| Subject: Re: reports of DCOM worm on the loose...Report #4
|
|
| Summary of information uncovered;
|
| 1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't
| supporting this configuration and insist you should test it, but
| I have had numerous reports from people who have successfully
| installed it. Windows 2000 SP2 systems have been successfully compromised.
|
| 2. Windows Update and most 3rd party patch management
| applications will not offer you the ability to install MS03-026
| on Windows 2000 SP2 systems. I have prepared an XML file for use
| with HFNetchk or MBSACli which will both check for, and
| recommend, MS03-026 on Windows 2000 SP2 systems.
| Ergo;
|
| 7. Multiple copies of MSBlast.exe can run on the same victim.
|
| Uncorroborated Reports:
| - Adds a user to the Administrators group
| - Starts up NetBIOS services (if they aren't running)
| - eEye's DCOM Checker incorrectly reports NT 4 machines as being
| vulnerable, despite the patch being positively verified
<snip>

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Schmidt, Tobias E: "GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm"
• In reply to: Russ: "Re: reports of DCOM worm on the loose...Report #4"
• Next in thread: Brian S. Bergin: "Re: reports of DCOM worm on the loose...Report #4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages So what uses DCOM anyway? ... What I'm looking for are things that are either built into the OS, an MS Server, or are very widely deployed. ... Warning, if you disable DCOM, may you may lose operating system functionality. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) DCOM not disabled on Win2k SP0,1,2 ... use the DCOM config tool and restart, your still vulnerable to the DCOM bug. ... | tested this today on Windows 2000, and even after disabling, removing ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq)