lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030925181223.GB1877@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: RE: Probable new MS DCOM RPC worm for Windows

W32.Welchia is in the wild. I have a customer who found it on his
home machine this morning. He is using Norton, which kindly informed
him that it had no way to handle it...

G

On or about 2003.09.25 10:57:12 +0000, Cael Abal (lists@...you.com) said:

> >I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> >wild.  We have machines that were patched for MS03-026 (verified by
> >scanning with multiple scanners) but not patched for MS03-039 (ditto)
> >and they have been infected by something that triggers my Nachi rule in
> >snort.  This should *not* be possible with the "original" Nachi/Welchia,
> >so my assumption is that either something new has been released or the
> >worm has mutated somehow.
> >
> >Mind you, this is anecdotal and a very small incidence (only three
> >machines so far), but it still bears watching IMHO.  I've been surprised
> >to not see any discussion on the lists about a new variant.  Perhaps no
> >one is looking?
> 
> Hi Paul,
> 
> Did you use a third-party tool to verify the patches were actually 
> successfully installed on the infected machines, before detecting the 
> infection?
> 
> Cael
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg@...liss.com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ