New RPC worm?

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/28/03

  • Next message: Chad Myers: "DNS/Hosts file issues" 
    Date:         Tue, 28 Oct 2003 12:24:36 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    FWIW, I have had several emails from people indicating they were seeing
    some sort of new variant of Nachi in the last couple of days. The only
    binaries I have received so far are MD5 matches with the original Nachi.
    The environment in this case believed it was fully patched with
    MS03-026, although MS03-039 was not applied. Their McAfee AV detected
    the worm there as Nachi. In this case the bandwidth effect was very
    significant.

    Another report states they saw the effects of blaster as of Thursday
    last week. Cut and Paste wasn't working properly, etc... as if RPC was
    corrupted. There, the McAfee AV (latest updates) was not detecting
    anything. Here the bandwidth effect was very small, and infection rate
    was extremely slow.

    Another report stated that as of 4:42pm EST yesterday they began seeing
    massive infections of machines which did not have MS03-039 applied.
    Infected hosts had port 707 open. Their AV is not detecting anything.
    This report was also posted to Bugtraq.

    So far nobody has provided binaries which confirm there is a new worm.
    It is odd, however, that people who have not had Blaster since August
    should all of a sudden see it now (on the assumption that it is not
    new.)

    Please let me know if you have any binaries for what seems to be a new
    worm, or if you see anything that suggests one is running.

    Cheers,
    Russ - NTBugtraq Editor 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Chad Myers: "DNS/Hosts file issues"

    Relevant Pages

    • Re: SVCHOST.EXE
      ... running a Nachi / Welchia removal tool such as the Stinger tool from ... so you also want to configure your antivirus to download the ... DCOM / RPC patch and other patches you need to prevent infection or ... >>Mate it sounds like you have been infected with the NACHI ...
      (microsoft.public.security)
    • [Full-Disclosure] RE: Possible new variant of Nachi
      ... Hosts were turned off previously so they didn't show up in routine ... scanning. ... Then they were turned on and got infected with Nachi. ... Then snort reported their infection. ...
      (Full-Disclosure)