RE: MSBLASTER Infecting despite 03-026 patch?

From: enigmatechat_private
Date: Mon Aug 11 2003 - 22:50:49 PDT

Next message: Kirt Cathey: "RE: msblast.exe available"

Previous message: Andrew Thomas: "RE: DCOM worm analysis report: W32.Blaster.Worm"
In reply to: Dan Hanson: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This would make sense, if I recall the machine was patched for ms03-026
along with 2 or 3 other simultaneous patches

-----Original Message-----
From: Dan Hanson [mailto:dhansonat_private] 
Sent: Tuesday, August 12, 2003 12:39 AM
To: Carter, Mike
Cc: Charles Hamby; incidentsat_private
Subject: RE: MSBLASTER Infecting despite 03-026 patch?

Check the versions of the files replaced by the MS03-026 patch... there
were some reports (on NTBugtraq I believe) where applciation of the
MS03-026 patch simultaneous with other things overwrote teh patched
files...

http://support.microsoft.com/?kbid=823980




On Tue, 12 Aug 2003, Carter, Mike wrote:

> This is something that really worries me, I've heard it to.
> Also I am getting conflicting results when scanning for the patch
> installation. I've been using MBSA, GFI LANguard and Retina which all
> tell me something different.
> Which one should I trust??
> Or is there something else I should be using?

-snip-
- a different included message -
>
>
> I have seen, and have heard other reports of, msblaster.exe worm
> infecting a Windows computer that had the proper KB patch specified by
> the 03-026 advisory.  In the instance I personally saw it was a
Windows
> XP Professional workstation that was completely patched.  The person
who
> used the workstation was surprised that they were infected since they
> has applied the patch and I verified (via Add/Remove Programs) that
they
> did, indeed have the proper patch applied.  I checked with my parent
> organization and they had been receiving sporadic reports of patched
> machines being infected despite being patched.  Unfortunately I
removed
> the worm from the computer without copying it so I don't have a backup
> of it for analysis.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----






---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Kirt Cathey: "RE: msblast.exe available"
Previous message: Andrew Thomas: "RE: DCOM worm analysis report: W32.Blaster.Worm"
In reply to: Dan Hanson: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:42:26 PDT