[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    RE: Probable new MS DCOM RPC worm for Windows
From:       "Carey, Steve T GARRISON" <steven-carey () us ! army ! mil>
Date:       2003-09-26 23:47:16
[Download RAW message or body]

 These were desktops, but suppose it could be possible on some of them.

-----Original Message-----
From: James C. Slora, Jr.
To: Carey, Steve T GARRISON
Cc: incidents@securityfocus.com
Sent: 9/26/2003 4:57 PM
Subject: RE: Probable new MS DCOM RPC worm for Windows

Carey, Steve T GARRISON wrote Friday, September 26, 2003 8:05 AM

> We ran the Retina DCOM scanner and it showed they were patched.

Could any of the systems have been infected through Nachi/Welchia's
WebDAV vector instead of through RPC?
 
(Tina Bird wrote Thursday, September 25, 2003 8:51 PM)
> On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:
> 
> > We have seen a number of infections of Nachi/Welchia on patched
systems.  Was
> > told that the MS03-026 patch was only 60% effective, so you still
had a 1 in 3
> > chance of being infected.  Apparently the MS03-039 patch fixes the
entire
> > vulnerability and not just some of it.  We re-enforced the rule for
keeping
> > the anti-virus current, which stopped Nachi/Welchia worm (in 
> > most cases, not all).
> 
> so, given that welchia installs the patch for 03-026, and given that
> windows will happily re-install 03-026 even if it's already there, how
did
> you figure out that some of those machines were infected >after< they
had
> 03-026 installed?

---------------------------------------------------------------------------
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]