RE: Probable new MS DCOM RPC worm for Windows

["Carey, Steve T GARRISON" <steven-carey () us army mil>]

 These were desktops, but suppose it could be possible on some of them.

-----Original Message-----
From: James C. Slora, Jr.
To: Carey, Steve T GARRISON
Cc: incidents () securityfocus com
Sent: 9/26/2003 4:57 PM
Subject: RE: Probable new MS DCOM RPC worm for Windows

Carey, Steve T GARRISON wrote Friday, September 26, 2003 8:05 AM

> We ran the Retina DCOM scanner and it showed they were patched.

Could any of the systems have been infected through Nachi/Welchia's
WebDAV vector instead of through RPC?
 
(Tina Bird wrote Thursday, September 25, 2003 8:51 PM)
> On Thu, 25 Sep 2003, Carey, Steve T GARRISON wrote:
>
> > We have seen a number of infections of Nachi/Welchia on patched
systems.  Was
> > told that the MS03-026 patch was only 60% effective, so you still
had a 1 in 3
> > chance of being infected.  Apparently the MS03-039 patch fixes the
entire
> > vulnerability and not just some of it.  We re-enforced the rule for
keeping
> > the anti-virus current, which stopped Nachi/Welchia worm (in 
> > most cases, not all).
>
> so, given that welchia installs the patch for 03-026, and given that
> windows will happily re-install 03-026 even if it's already there, how
did
> you figure out that some of those machines were infected >after< they
had
> 03-026 installed?

---------------------------------------------------------------------------
----------------------------------------------------------------------------