RE: Probable new MS DCOM RPC worm for Windows (fwd)

• Previous message: Carey, Steve T GARRISON: "RE: Probable new MS DCOM RPC worm for Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 26 Sep 2003 14:05:55 -0700 (PDT)
To: incidents@securityfocus.com

On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:

> We have seen a number of infections of Nachi/Welchia on patched systems. Was
> told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3
> chance of being infected. Apparently the MS03-039 patch fixes the entire
> vulnerability and not just some of it. We re-enforced the rule for keeping the
> anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all).

so, given that welchia installs the patch for 03-026, and given that
windows will happily re-install 03-026 even if it's already there, how did
you figure out that some of those machines were infected >after< they had
03-026 installed?

it's got me perplexed. i'm sure that some of my users thought they
installed it and hadn't for some reason or other, and then got
infected...and i've gotten reports of "i patched it and it still got
hit"...and i can't figure out how to tell the difference.

well, you could look at the event log entries and see if
there was more than one for KB823980, but i've seen reasonably reliable
cases where the registry setting existed but the patch wasn't actually
installed.

whereas checking the file manifests is usually the most reliable way to
tell whether or not the patch was installed, but won't really tell you if
the patch was installed more than once.

thanks -- tina bird

computer security @stanford, with a huge number of welchia-infected
systems -- or at least, there were...

--
At what point does it become easier to maintain a human relationship
than a Windows box?
                                       Robert Cowles
http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Carey, Steve T GARRISON: "RE: Probable new MS DCOM RPC worm for Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages More info about MS03-026 ... problems with the patch that I did. ... replaced (so why create the reg key before confirming the files can be ... installs given my experience so far (this is including the fact that I ... Summer's Hottest Certification Just Got HOTTER! ... (NT-Bugtraq) Re: MS02-065 ... The yellow X's simply says that the xml file used by MBSA ... cannot *confirm* that the specific patch is installed. ... patch will show up with a red X. SP1 installs a version of msxml3 that is ... Did I really apply the patches to my system? ... (microsoft.public.inetserver.iis.security) Re: [Full-Disclosure] Re: [Vmyths.com ALERT] Hysteria predicted for JPEG and windows update ... Ron DuFresne wrote: ... >scanner, and any other patches you are missing, once that installs it will ... >scan for M$ apps needing the jpeg patch. ... and the detection tool shows you to be ... (Full-Disclosure) SUMMARY: Chicken & egg problem: 112945-33 ... Others suggested patch 112945-40 which has an update for smpatch related ... SUNWwbapi SUNWwbcor ... Subsequently running pmsetup installs smpatch client successfully. ... (SunManagers) RE: Probable new MS DCOM RPC worm for Windows ... We ran the Retina DCOM scanner and it showed they were patched. ... Probable new MS DCOM RPC worm for Windows ... Apparently the MS03-039 patch fixes the entire ... so, given that welchia installs the patch for 03-026, and given that ... (Incidents)