The machine I saw was a classic blaster infection: it had the registry entry and fport showed it listening on multiple TCP and UDP ports. What I suspect happened was that the user applied the patch and then applied other patches later than overwrote the critical files that made the system vulnerable since he said that he used Retina to check his system and that it showed up as patched. Charles Hamby -----Original Message----- From: Larsen, Colin [mailto:colin.larsenat_private] Sent: Tuesday, August 12, 2003 12:51 PM To: incidentsat_private Subject: RE: MSBLASTER Infecting despite 03-026 patch? Our experience yesterday seemed to indicate that patched machines were suffering from the side effects of failed infection attempts. This caused a mini 'DOS' on the machine as the RPC/DCOM servcies appeared to be upset. Symtoms showed as search not available, no drag and drop, control panel full of garbage etc. Symptoms varied from machine to machine but a reboot always fixed it and no signs of infection were discovered - but we're still looking just in case. -----Original Message----- From: Dan Hanson [mailto:dhansonat_private] Sent: Tuesday, 12 August 2003 5:39 p.m. To: Carter, Mike Cc: Charles Hamby; incidentsat_private Subject: RE: MSBLASTER Infecting despite 03-026 patch? Check the versions of the files replaced by the MS03-026 patch... there were some reports (on NTBugtraq I believe) where applciation of the MS03-026 patch simultaneous with other things overwrote teh patched files... http://support.microsoft.com/?kbid=823980 On Tue, 12 Aug 2003, Carter, Mike wrote: > This is something that really worries me, I've heard it to. Also I am > getting conflicting results when scanning for the patch installation. > I've been using MBSA, GFI LANguard and Retina which all tell me > something different. Which one should I trust?? > Or is there something else I should be using? -snip- - a different included message - > > > I have seen, and have heard other reports of, msblaster.exe worm > infecting a Windows computer that had the proper KB patch specified by > the 03-026 advisory. In the instance I personally saw it was a > Windows XP Professional workstation that was completely patched. The > person who used the workstation was surprised that they were infected > since they has applied the patch and I verified (via Add/Remove > Programs) that they did, indeed have the proper patch applied. I > checked with my parent organization and they had been receiving > sporadic reports of patched machines being infected despite being > patched. Unfortunately I removed the worm from the computer without > copying it so I don't have a backup of it for analysis. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 22:55:19 PDT