[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: RE: Probable new MS DCOM RPC worm for Windows
From: "Carey, Steve T GARRISON" <steven-carey () us ! army ! mil>
Date: 2003-09-26 23:47:16
[Download RAW message or body]
These were desktops, but suppose it could be possible on some of them.
-----Original Message-----
From: James C. Slora, Jr.
To: Carey, Steve T GARRISON
Cc: incidents@securityfocus.com
Sent: 9/26/2003 4:57 PM
Subject: RE: Probable new MS DCOM RPC worm for Windows
Carey, Steve T GARRISON wrote Friday, September 26, 2003 8:05 AM
> We ran the Retina DCOM scanner and it showed they were patched.
Could any of the systems have been infected through Nachi/Welchia's
WebDAV vector instead of through RPC?
(Tina Bird wrote Thursday, September 25, 2003 8:51 PM)
> On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:
>
> > We have seen a number of infections of Nachi/Welchia on patched
systems. Was
> > told that the MS03-026 patch was only 60% effective, so you still
had a 1 in 3
> > chance of being infected. Apparently the MS03-039 patch fixes the
entire
> > vulnerability and not just some of it. We re-enforced the rule for
keeping
> > the anti-virus current, which stopped Nachi/Welchia worm (in
> > most cases, not all).
>
> so, given that welchia installs the patch for 03-026, and given that
> windows will happily re-install 03-026 even if it's already there, how
did
> you figure out that some of those machines were infected >after< they
had
> 03-026 installed?
---------------------------------------------------------------------------
----------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic