Our experience yesterday seemed to indicate that patched machines were suffering from the side effects of failed infection attempts. This caused a mini 'DOS' on the machine as the RPC/DCOM servcies appeared to be upset. Symtoms showed as search not available, no drag and drop, control panel full of garbage etc. Symptoms varied from machine to machine but a reboot always fixed it and no signs of infection were discovered - but we're still looking just in case. -----Original Message----- From: Dan Hanson [mailto:dhansonat_private] Sent: Tuesday, 12 August 2003 5:39 p.m. To: Carter, Mike Cc: Charles Hamby; incidentsat_private Subject: RE: MSBLASTER Infecting despite 03-026 patch? Check the versions of the files replaced by the MS03-026 patch... there were some reports (on NTBugtraq I believe) where applciation of the MS03-026 patch simultaneous with other things overwrote teh patched files... http://support.microsoft.com/?kbid=823980 On Tue, 12 Aug 2003, Carter, Mike wrote: > This is something that really worries me, I've heard it to. Also I am > getting conflicting results when scanning for the patch installation. > I've been using MBSA, GFI LANguard and Retina which all tell me > something different. Which one should I trust?? > Or is there something else I should be using? -snip- - a different included message - > > > I have seen, and have heard other reports of, msblaster.exe worm > infecting a Windows computer that had the proper KB patch specified by > the 03-026 advisory. In the instance I personally saw it was a > Windows XP Professional workstation that was completely patched. The > person who used the workstation was surprised that they were infected > since they has applied the patch and I verified (via Add/Remove > Programs) that they did, indeed have the proper patch applied. I > checked with my parent organization and they had been receiving > sporadic reports of patched machines being infected despite being > patched. Unfortunately I removed the worm from the computer without > copying it so I don't have a backup of it for analysis. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:58:45 PDT