RE: MSBLASTER Infecting despite 03-026 patch?

From: James C. Slora, Jr. (Jim.Sloraat_private)
Date: Tue Aug 12 2003 - 16:56:32 PDT

Next message: iDaemon Security: "Re: Blasting Blaster.Worm (aka LovSan Virus)"

Previous message: dennis: "updated partial analysis of msblast.exe"
Maybe in reply to: Charles Hamby: "MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

enigmatech wrote
> I can confirm this. I discovered the worm when it attempted (and
failed)
> to infect my machine (Win XP pro) this afternoon. Immediately after
> securing the firewall setting that left me vulnerable to the port 135
> attack I checked windowsupdate.microsoft.com and confirmed that I had
in
> fact installed the patch a few weeks earlier. While security software
on
> my system prevented the overflow payload from using tftp the payload
> managed to terminate the RPC svchost process twice forcing a system
> halt. This is similar to the effects of the WinNuke exploitation of a
> similar overflow bug in RPC earlier in the year.

It sounds like your system may be vulnerable to other RPC exploits
besides Blaster, and like it might be worthwhile reapplying the patch.

Windows Update definitely is not a good indicator of whether the patch
is installed. Neither is add/remove programs. Windows Update and
UpdateExpert don't verify the files that are on the system because they
are optimized for speed rather than accuracy. They merely check a
registry entry that gets added by the patch. So they can't tell you if
your system is patched, but they can give an indication that the patch
installation routine was run at some time or another. Add/remove
programs tells you that the patch was installed but does not tell you if
the patch's files were overwritten by some other installation or update.

One specific case in Win2K that causes the machine to appear patched
when it is not:
Install Win2K SP4, don't reboot, then install the RPC patch and reboot.
XP probably has some similar combinations that result in failure even
though your system reports success.

Microsoft's MBSA or Shavlik's HFNetChk should give a good answer about
whether the correct files are installed, and eEye's free Retina RPC
scanner can tell you from an external perspective whether or not your
system is vulnerable.

It is probably best to use multiple tools to verify the system's status.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: iDaemon Security: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Previous message: dennis: "updated partial analysis of msblast.exe"
Maybe in reply to: Charles Hamby: "MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 22:52:55 PDT