[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030925181223.GB1877@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: RE: Probable new MS DCOM RPC worm for Windows
W32.Welchia is in the wild. I have a customer who found it on his
home machine this morning. He is using Norton, which kindly informed
him that it had no way to handle it...
G
On or about 2003.09.25 10:57:12 +0000, Cael Abal (lists@...you.com) said:
> >I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> >wild. We have machines that were patched for MS03-026 (verified by
> >scanning with multiple scanners) but not patched for MS03-039 (ditto)
> >and they have been infected by something that triggers my Nachi rule in
> >snort. This should *not* be possible with the "original" Nachi/Welchia,
> >so my assumption is that either something new has been released or the
> >worm has mutated somehow.
> >
> >Mind you, this is anecdotal and a very small incidence (only three
> >machines so far), but it still bears watching IMHO. I've been surprised
> >to not see any discussion on the lists about a new variant. Perhaps no
> >one is looking?
>
> Hi Paul,
>
> Did you use a third-party tool to verify the patches were actually
> successfully installed on the infected machines, before detecting the
> infection?
>
> Cael
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420
Computer Engineering E-mail: greg@...liss.com
Computer Security ICQ: 123710561
Software Development WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists