RE: MSBlast and other known exploits..

From: Alon Tirosh (atirosh_at_interactiveedge.com)
Date: 08/13/03

  • Next message: Chris Barber: "RE: rpc dcom worm and windowsupdate"
    To: "'Micheal Patterson'" <micheal@cancercare.net>
    Date: Wed, 13 Aug 2003 11:07:18 -0400
    
    

    Sounds like the infection went off and damaged COM+ on the affected
    machines. This was a reported side effect when the vulnerability was first
    analyzed and tested. I can confirm this happening on a number of infected
    systems that I've worked with, and it appears that the TMSC patterns do
    wonders to restore the system to operation.

    Id give a shot at simply cleaning the affected systems and seeing whether
    the problem clears up before pulling out the hose.

    -----Original Message-----
    From: Micheal Patterson [mailto:micheal@cancercare.net]
    Sent: Wednesday, August 13, 2003 8:45 AM
    To: incidents@securityfocus.com
    Subject: MSBlast and other known exploits..

    I've got reports of msblast infection that I've checked and they indeed do
    have msblast. Also, these systems all have what appears to be a corrupted
    control panel applet. The normal control panel shows up in a left hand frame
    and the contents of add/remove programs is missing. Also, various popup
    windows simply will not open. I've read that there was a known root kit
    that utilized the same dcom exploit called khat2 (spelling) but I'm not
    having much luck in locating the symptoms of systems that have been rooted
    in this manner. Any information would be appreciated. I will be recommending
    that these systems be blown away and reinstalled from clean media, I'm just
    looking for some info to verify what's eaten away at these things.

    Thank you.

    --
    Micheal Patterson
    Network Administration
    Cancer Care Network
    405-733-2230
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Chris Barber: "RE: rpc dcom worm and windowsupdate"