| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mike.keighley at adarelexicon.com (mike.keighley@...relexicon.com) Subject: Re: Full-Disclosure digest, Vol 1 #1456 - 15 msgs Robin, The patch for MS03-039 should stop a worm (e.g. Blaster) from spreading to other hosts on your lan via RPC/Dcom. It does nothing to stop infection of the local machine via (say) an IE object vulnerability. Given that the infected file is in the IE temp folder, this is highly likely. A quick google on "IE object vulnerability" will yield more than you wanted to know, but the short version is that many such bugs have been fixed in IE patches over the last few years, and many still have not. Yes we had one laptop infected like this, within about 5 mins of first connecting it to the net. The admin who did this without checking the anti-virus status first has been flogged. Some would say you need anti-virus, anti-spyware, personal-firewall, IE patches, and scripting turned off. Others would say you need a different browser <g> Mike. -----Original Message----- From: Ferris, Robin [mailto:R.Ferris@...ier.ac.uk] Sent: 17 February 2004 14:59 To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] exploit-dcomrpc.gen Hi folks a couple of quick questions, has any one else seen this infection recently exploit-dcomrpc.gen, you would proably be using mcafee to see it detected as this. I what is odd is that these machines that are infected are patched with ms03-007/026/039 was wondering if any one had seen this at all. infection goes to c:\windows\system32\drivers\svchost.exe infected file is in IE temp folder labelled as WksPatch[1].exe Any info would be appreciated. Thanks Robin
Powered by blists - more mailing lists