[Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1456 - 15 msgs

[mike.keighley () adarelexicon com]

Robin,

The patch for MS03-039 should stop a worm (e.g. Blaster) from spreading to 
other hosts on your lan via RPC/Dcom.
It does nothing to stop infection of the local machine via (say) an IE 
object vulnerability.
Given that the infected file is in the IE temp folder, this is highly 
likely.
A quick google on "IE object vulnerability" will yield more than you 
wanted to know, but the short version is that many such bugs have been 
fixed in IE patches over the last few years, and many still have not.

Yes we had one laptop infected like this, within about 5 mins of first 
connecting it to the net.
The admin who did this without checking the anti-virus status first has 
been flogged.
Some would say you need anti-virus, anti-spyware, personal-firewall, IE 
patches, and scripting turned off.
Others would say you need a different browser <g>

Mike.

-----Original Message-----
From: Ferris, Robin [mailto:R.Ferris () napier ac uk]
Sent: 17 February 2004 14:59
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] exploit-dcomrpc.gen

Hi folks
 
a couple of quick questions, has any one else seen this infection recently 
exploit-dcomrpc.gen, you would proably be using mcafee to see it detected 
as this. 
 
I what is odd is that these machines that are infected are patched with 
ms03-007/026/039 was wondering if any one had seen this at all.
infection goes to c:\windows\system32\drivers\svchost.exe 
infected file is in IE temp folder labelled as WksPatch[1].exe
Any info would be appreciated.
 
Thanks
 
Robin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html