I can confirm this. I discovered the worm when it attempted (and failed)
to infect my machine (Win XP pro) this afternoon. Immediately after
securing the firewall setting that left me vulnerable to the port 135
attack I checked windowsupdate.microsoft.com and confirmed that I had in
fact installed the patch a few weeks earlier. While security software on
my system prevented the overflow payload from using tftp the payload
managed to terminate the RPC svchost process twice forcing a system
halt. This is similar to the effects of the WinNuke exploitation of a
similar overflow bug in RPC earlier in the year.
-R Rahmani
-----Original Message-----
From: Charles Hamby [mailto:fixer (at) gci (dot) net [email concealed]]
Sent: Tuesday, August 12, 2003 12:13 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: MSBLASTER Infecting despite 03-026 patch?
I have seen, and have heard other reports of, msblaster.exe worm
infecting a
Windows computer that had the proper KB patch specified by the 03-026
advisory. In the instance I personally saw it was a Windows XP
Professional
workstation that was completely patched. The person who used the
workstation was surprised that they were infected since they has applied
the
patch and I verified (via Add/Remove Programs) that they did, indeed
have
the proper patch applied. I checked with my parent organization and
they
had been receiving sporadic reports of patched machines being infected
despite being patched. Unfortunately I removed the worm from the
computer
without copying it so I don't have a backup of it for analysis.
Has anyone else been seeing this phenomenon or do they have any idea why
this might have or might be happening? I know for a fact the patch that
was
used came straight from Microsoft so I don't suspect a faulty patch.
to infect my machine (Win XP pro) this afternoon. Immediately after
securing the firewall setting that left me vulnerable to the port 135
attack I checked windowsupdate.microsoft.com and confirmed that I had in
fact installed the patch a few weeks earlier. While security software on
my system prevented the overflow payload from using tftp the payload
managed to terminate the RPC svchost process twice forcing a system
halt. This is similar to the effects of the WinNuke exploitation of a
similar overflow bug in RPC earlier in the year.
-R Rahmani
-----Original Message-----
From: Charles Hamby [mailto:fixer (at) gci (dot) net [email concealed]]
Sent: Tuesday, August 12, 2003 12:13 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: MSBLASTER Infecting despite 03-026 patch?
I have seen, and have heard other reports of, msblaster.exe worm
infecting a
Windows computer that had the proper KB patch specified by the 03-026
advisory. In the instance I personally saw it was a Windows XP
Professional
workstation that was completely patched. The person who used the
workstation was surprised that they were infected since they has applied
the
patch and I verified (via Add/Remove Programs) that they did, indeed
have
the proper patch applied. I checked with my parent organization and
they
had been receiving sporadic reports of patched machines being infected
despite being patched. Unfortunately I removed the worm from the
computer
without copying it so I don't have a backup of it for analysis.
Has anyone else been seeing this phenomenon or do they have any idea why
this might have or might be happening? I know for a fact the patch that
was
used came straight from Microsoft so I don't suspect a faulty patch.
Charles Hamby
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
[ reply ]