RE: MSBLASTER Infecting despite 03-026 patch?

From: Lucas Zaichkowsky (LZaichkowskyat_private)
Date: Tue Aug 12 2003 - 16:44:26 PDT

Next message: Larsen, Colin: "RE: MSBLASTER Infecting despite 03-026 patch?"

Previous message: Michel Angelo da Silva Pereira: "Connections on ports 2023/tcp and 1803/tcp"
In reply to: Carter, Mike: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: enigmatechat_private: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What does hfnetchk have to say?

http://www.shavlik.com/pHFNetChkLT.aspx

-Lucas

-----Original Message-----
From: Carter, Mike [mailto:Mike_Carterat_private]
Sent: Monday, August 11, 2003 10:35 PM
To: Charles Hamby; incidentsat_private
Subject: RE: MSBLASTER Infecting despite 03-026 patch?

This is something that really worries me, I've heard it to.
Also I am getting conflicting results when scanning for the patch
installation. I've been using MBSA, GFI LANguard and Retina which all
tell me something different.
Which one should I trust??
Or is there something else I should be using?

Thanks
Mike

-----Original Message-----
From: Charles Hamby [mailto:fixerat_private]
Sent: Tuesday, August 12, 2003 5:13 PM
To: incidentsat_private
Subject: MSBLASTER Infecting despite 03-026 patch?

I have seen, and have heard other reports of, msblaster.exe worm
infecting a Windows computer that had the proper KB patch specified by
the 03-026 advisory.  In the instance I personally saw it was a Windows
XP Professional workstation that was completely patched.  The person who
used the workstation was surprised that they were infected since they
has applied the patch and I verified (via Add/Remove Programs) that they
did, indeed have the proper patch applied.  I checked with my parent
organization and they had been receiving sporadic reports of patched
machines being infected despite being patched.  Unfortunately I removed
the worm from the computer without copying it so I don't have a backup
of it for analysis.

Has anyone else been seeing this phenomenon or do they have any idea why
this might have or might be happening? I know for a fact the patch that
was used came straight from Microsoft so I don't suspect a faulty patch.

Charles Hamby

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

application/ms-tnef attachment: winmail.dat

--------------------------------------------------------------------------- ----------------------------------------------------------------------------

Next message: Larsen, Colin: "RE: MSBLASTER Infecting despite 03-026 patch?"
Previous message: Michel Angelo da Silva Pereira: "Connections on ports 2023/tcp and 1803/tcp"
In reply to: Carter, Mike: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: enigmatechat_private: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:55:22 PDT