I can confirm this. I discovered the worm when it attempted (and failed) to infect my machine (Win XP pro) this afternoon. Immediately after securing the firewall setting that left me vulnerable to the port 135 attack I checked windowsupdate.microsoft.com and confirmed that I had in fact installed the patch a few weeks earlier. While security software on my system prevented the overflow payload from using tftp the payload managed to terminate the RPC svchost process twice forcing a system halt. This is similar to the effects of the WinNuke exploitation of a similar overflow bug in RPC earlier in the year. -R Rahmani -----Original Message----- From: Charles Hamby [mailto:fixerat_private] Sent: Tuesday, August 12, 2003 12:13 AM To: incidentsat_private Subject: MSBLASTER Infecting despite 03-026 patch? I have seen, and have heard other reports of, msblaster.exe worm infecting a Windows computer that had the proper KB patch specified by the 03-026 advisory. In the instance I personally saw it was a Windows XP Professional workstation that was completely patched. The person who used the workstation was surprised that they were infected since they has applied the patch and I verified (via Add/Remove Programs) that they did, indeed have the proper patch applied. I checked with my parent organization and they had been receiving sporadic reports of patched machines being infected despite being patched. Unfortunately I removed the worm from the computer without copying it so I don't have a backup of it for analysis. Has anyone else been seeing this phenomenon or do they have any idea why this might have or might be happening? I know for a fact the patch that was used came straight from Microsoft so I don't suspect a faulty patch. Charles Hamby ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:37:35 PDT