[Dshield] msblast, local infection

Craig Shaw CraigS at caamb.mb.ca
Tue Aug 12 19:05:05 GMT 2003


If you download the nasty bits, then it doesn't matter if you've patched or
not, as the nasty bits only use DCom to get a foothold on the machine. If a
user downloads the nasty bits directly, there is no need for the DCom
exploit. DCom was only the door to the system.

Update AV should have caught that though... maybe this is a new one /
variant?

Craig Shaw
Systems Administrator
CAA Manitoba
(204) 262-6035
craigs at caamanitoba.com


-----Original Message-----
From: Bruyere, Michel [mailto:mbruyere at ezemcanada.com] 
Sent: 12-Aug-03 13:57
To: 'General DShield Discussion List'
Subject: [Dshield] msblast, local infection

Hi all, 
		I've found someone who has been infected locally by the
MSBLAST worm. By locally i mean he downloaded the msblast file from don't
know where and when he tried to open it he did a mistake. Instead of right
click the open with he choose open, so he got infected. Right there he
disconnected his network cable to avoid propagation of the worm in the lan.
When he told me this story i asked him if he was "full patch" and he told me
yes. I asked him to double check to be sure hes really patched (just to be
sure it's not windows update that detect non-installed patches as installed)
for this bug, still waiting his reply. So I would like to know if it's
"normal" to be infected locally, even full patched? Or did someone else got
infected while full patched?


Thanks for your input

NB.: i'll keep you posted as soon as i get confirmation of my friend if he's
"really" full patched or if it wasn't.


M.Bruyere 

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list