RE: MSBLASTER Infecting despite 03-026 patch?

From: Larsen, Colin (colin.larsenat_private)
Date: Tue Aug 12 2003 - 13:50:44 PDT

Next message: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"

Previous message: Lucas Zaichkowsky: "RE: MSBLASTER Infecting despite 03-026 patch?"
Maybe in reply to: Charles Hamby: "MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
Reply: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Our experience yesterday seemed to indicate that patched machines were
suffering from the side effects of failed infection attempts. This
caused a mini 'DOS' on the machine as the RPC/DCOM servcies appeared to
be upset. Symtoms showed as search not available, no drag and drop,
control panel full of garbage etc. Symptoms varied from machine to
machine but a reboot always fixed it and no signs of infection were
discovered - but we're still looking just in case.

-----Original Message-----
From: Dan Hanson [mailto:dhansonat_private] 
Sent: Tuesday, 12 August 2003 5:39 p.m.
To: Carter, Mike
Cc: Charles Hamby; incidentsat_private
Subject: RE: MSBLASTER Infecting despite 03-026 patch?


Check the versions of the files replaced by the MS03-026 patch... there
were some reports (on NTBugtraq I believe) where applciation of the
MS03-026 patch simultaneous with other things overwrote teh patched
files...

http://support.microsoft.com/?kbid=823980




On Tue, 12 Aug 2003, Carter, Mike wrote:

> This is something that really worries me, I've heard it to. Also I am 
> getting conflicting results when scanning for the patch installation. 
> I've been using MBSA, GFI LANguard and Retina which all tell me 
> something different. Which one should I trust??
> Or is there something else I should be using?

-snip-
- a different included message -
>
>
> I have seen, and have heard other reports of, msblaster.exe worm 
> infecting a Windows computer that had the proper KB patch specified by

> the 03-026 advisory.  In the instance I personally saw it was a 
> Windows XP Professional workstation that was completely patched.  The 
> person who used the workstation was surprised that they were infected 
> since they has applied the patch and I verified (via Add/Remove 
> Programs) that they did, indeed have the proper patch applied.  I 
> checked with my parent organization and they had been receiving 
> sporadic reports of patched machines being infected despite being 
> patched.  Unfortunately I removed the worm from the computer without 
> copying it so I don't have a backup of it for analysis.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Previous message: Lucas Zaichkowsky: "RE: MSBLASTER Infecting despite 03-026 patch?"
Maybe in reply to: Charles Hamby: "MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
Reply: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:58:45 PDT