> -----Original Message----- > From: Richard Johnson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 24, 2003 10:03 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Probable new MS DCOM RPC worm for Windows > > We finally had infections occur on Tuesday evening showing the same > scan behavior. Sysadmins doing cleanup report Norton and McAfee IDed > the bug as W32.Welchia. > > I don't know whether it was a variant using one of the two new RPC > holes, or just month-old Welchia. That's because the hosts hit were > traditional non-compliant lab machines and non-adminned remote office > or home hosts. In other words, they were still vulnerable to the > original blaster worm.
I'm thinking that there *has* to be a variant of Nachi/Welchia in the wild. We have machines that were patched for MS03-026 (verified by scanning with multiple scanners) but not patched for MS03-039 (ditto) and they have been infected by something that triggers my Nachi rule in snort. This should *not* be possible with the "original" Nachi/Welchia, so my assumption is that either something new has been released or the worm has mutated somehow. Mind you, this is anecdotal and a very small incidence (only three machines so far), but it still bears watching IMHO. I've been surprised to not see any discussion on the lists about a new variant. Perhaps no one is looking? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html