RE: MSBLASTER Infecting despite 03-026 patch?

From: Jordan Wiens (jwiensat_private)
Date: Tue Aug 12 2003 - 07:36:09 PDT

Next message: David.Pavoneat_private: "RE: msblast.exe available"

Previous message: Christopher Lyon: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Carter, Mike: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Lucas Zaichkowsky: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: enigmatechat_private: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are some known issues when the checking mechanism relies on the
registry to verify the check.  See Paul Schmehl's post on full-disclosure
for a bit more details:
http://marc.theaimsgroup.com/?l=full-disclosure&m=105960468505722&w=2

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Tue, 12 Aug 2003, Carter, Mike wrote:

> This is something that really worries me, I've heard it to.
> Also I am getting conflicting results when scanning for the patch
> installation. I've been using MBSA, GFI LANguard and Retina which all
> tell me something different.
> Which one should I trust??
> Or is there something else I should be using?
>
> Thanks
> Mike
>
> -----Original Message-----
> From: Charles Hamby [mailto:fixerat_private]
> Sent: Tuesday, August 12, 2003 5:13 PM
> To: incidentsat_private
> Subject: MSBLASTER Infecting despite 03-026 patch?
>
>
> I have seen, and have heard other reports of, msblaster.exe worm
> infecting a Windows computer that had the proper KB patch specified by
> the 03-026 advisory.  In the instance I personally saw it was a Windows
> XP Professional workstation that was completely patched.  The person who
> used the workstation was surprised that they were infected since they
> has applied the patch and I verified (via Add/Remove Programs) that they
> did, indeed have the proper patch applied.  I checked with my parent
> organization and they had been receiving sporadic reports of patched
> machines being infected despite being patched.  Unfortunately I removed
> the worm from the computer without copying it so I don't have a backup
> of it for analysis.
>
>
>
> Has anyone else been seeing this phenomenon or do they have any idea why
> this might have or might be happening? I know for a fact the patch that
> was used came straight from Microsoft so I don't suspect a faulty patch.
>
>
> Charles Hamby
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: David.Pavoneat_private: "RE: msblast.exe available"
Previous message: Christopher Lyon: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Carter, Mike: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Lucas Zaichkowsky: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: enigmatechat_private: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:48:30 PDT