lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: R.Ferris at (Ferris, Robin)
Subject: RE: Probable new MS DCOM RPC worm for Windo

I have seen at least 1-5% of machines at this site that report that they are
patched: either through "add remove programs" or "msiexec patch.exe -l"
which lists the patches installed. Run the eeye scanner against it and lo
and behold it's not actually patched. So some more evidence into the bowl.


-----Original Message-----
From: Exibar []
Sent: 25 September 2003 22:08
Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for

I've seen the same thing but BEFORE MS03-039 came out.  I've had reports
from users stating that their network port had been turned off a number of
times and they're getting sick of it.  To quiet them down I'd add their
network port to an exclude list that wouldn't show up in the IDS (Snort) for
automatic Network port shutoff after the threshold is reached.

   My gut feeling is that Microsoft, in their haste to get MS03-026 out in
time for people to get their systems patched, used the 80/20 rule.  By that
I mean that they were only able to patch 80% of the conditions for
exploitation.  I think that's what Paul (and others) have seen.  Machines
patched for 026 but still able to be infected under certain, fairly rare
circumstances.  Microsoft took care of these remaining conditional holes
with MS03-039.

   but, my theory is just that, a theory.  and there very well could be a
variant of Welchi out there.  But, I would think that there would be more
infections or infection attempts that we are seeing now.  IMHO


----- Original Message ----- 
From: "Derek Vadala" <>
To: <>
Cc: <>; <>
Sent: Thursday, September 25, 2003 3:44 PM
Subject: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows

> > I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> > wild.  We have machines that were patched for MS03-026 (verified by
> > scanning with multiple scanners) but not patched for MS03-039 (ditto)
> > and they have been infected by something that triggers my Nachi rule in
> > snort.  This should *not* be possible with the "original" Nachi/Welchia,
> > so my assumption is that either something new has been released or the
> > worm has mutated somehow.
> >
> > Mind you, this is anecdotal and a very small incidence (only three
> > machines so far), but it still bears watching IMHO.  I've been surprised
> > to not see any discussion on the lists about a new variant.  Perhaps no
> > one is looking?
> >
> > Paul Schmehl (
> We've seen the same thing over here. I've had a handful of machines
> (perhaps 15-20 out of 2500) here that were reported to be patched against
> MS03-026 yet became infected with Welchia. These machines were not patched
> against MS03-039. One possibility is that the systems were already
> infected with Welchia at the time they were patched against MS03-026.
> I know of at least one or two cases here where the technical support
> person assigned to fix a particular system didn't appropriately follow the
> removal procedures and left a patched, but infected, system. I have to
> assume this is happening without notice in other cases, since there
> haven't been reports of a variant, and the number of systems in this
> situation is rather low.
> So I'm betting user error, though I find it hard to believe there isn't
> another variant making the rounds.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Full-Disclosure - We believe in it.

Powered by blists - more mailing lists