[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    New RPC worm?
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       2003-10-28 17:24:36
[Download RAW message or body]

FWIW, I have had several emails from people indicating they were seeing
some sort of new variant of Nachi in the last couple of days. The only
binaries I have received so far are MD5 matches with the original Nachi.
The environment in this case believed it was fully patched with
MS03-026, although MS03-039 was not applied. Their McAfee AV detected
the worm there as Nachi. In this case the bandwidth effect was very
significant.

Another report states they saw the effects of blaster as of Thursday
last week. Cut and Paste wasn't working properly, etc... as if RPC was
corrupted. There, the McAfee AV (latest updates) was not detecting
anything. Here the bandwidth effect was very small, and infection rate
was extremely slow.

Another report stated that as of 4:42pm EST yesterday they began seeing
massive infections of machines which did not have MS03-039 applied.
Infected hosts had port 707 open. Their AV is not detecting anything.
This report was also posted to Bugtraq.

So far nobody has provided binaries which confirm there is a new worm.
It is odd, however, that people who have not had Blaster since August
should all of a sudden see it now (on the assumption that it is not
new.)

Please let me know if you have any binaries for what seems to be a new
worm, or if you see anything that suggests one is running.

Cheers,
Russ - NTBugtraq Editor

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

[prev in list] [next in list] [prev in thread] [next in thread]