There may be more to it. We've had at least two incidents where the patch manifest was confirmed but the boxes got infected. And, I don't think the infection came through an email seed, as we block executables at the SMTP gateway. G -----Original Message----- From: Jordan Wiens [mailto:jwiensat_private] Sent: Tuesday, August 12, 2003 10:36 AM To: Carter, Mike Cc: Charles Hamby; incidentsat_private Subject: RE: MSBLASTER Infecting despite 03-026 patch? There are some known issues when the checking mechanism relies on the registry to verify the check. See Paul Schmehl's post on full-disclosure for a bit more details: http://marc.theaimsgroup.com/?l=full-disclosure&m=105960468505722&w=2 -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Tue, 12 Aug 2003, Carter, Mike wrote: > This is something that really worries me, I've heard it to. Also I am > getting conflicting results when scanning for the patch installation. > I've been using MBSA, GFI LANguard and Retina which all tell me > something different. Which one should I trust?? > Or is there something else I should be using? > > Thanks > Mike > > -----Original Message----- > From: Charles Hamby [mailto:fixerat_private] > Sent: Tuesday, August 12, 2003 5:13 PM > To: incidentsat_private > Subject: MSBLASTER Infecting despite 03-026 patch? > > > I have seen, and have heard other reports of, msblaster.exe worm > infecting a Windows computer that had the proper KB patch specified by > the 03-026 advisory. In the instance I personally saw it was a > Windows XP Professional workstation that was completely patched. The > person who used the workstation was surprised that they were infected > since they has applied the patch and I verified (via Add/Remove > Programs) that they did, indeed have the proper patch applied. I > checked with my parent organization and they had been receiving > sporadic reports of patched machines being infected despite being > patched. Unfortunately I removed the worm from the computer without > copying it so I don't have a backup of it for analysis. > > > > Has anyone else been seeing this phenomenon or do they have any idea > why this might have or might be happening? I know for a fact the patch > that was used came straight from Microsoft so I don't suspect a faulty > patch. > > > Charles Hamby > > > ---------------------------------------------------------------------- > -- > --- > ------------------------------------------------------------------------ > ---- > > > ---------------------------------------------------------------------- > ----- > ------------------------------------------------------------------------ ---- > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 23:05:51 PDT