[Dshield] msblast, local infection

Jonathan Rickman jonathan at xcorps.net
Tue Aug 12 19:13:31 GMT 2003

On Tuesday 12 August 2003 14:57, Bruyere, Michel wrote:
> Hi all,
> 		I've found someone who has been infected locally by the
> MSBLAST worm. By locally i mean he downloaded the msblast file from don't
> know where and when he tried to open it he did a mistake. Instead of
> right click the open with he choose open, so he got infected. Right there
> he disconnected his network cable to avoid propagation of the worm in the
> lan. When he told me this story i asked him if he was "full patch" and he
> told me yes. I asked him to double check to be sure hes really patched
> (just to be sure it's not windows update that detect non-installed
> patches as installed) for this bug, still waiting his reply. So I would
> like to know if it's "normal" to be infected locally, even full patched?
> Or did someone else got infected while full patched?

The RPC DCOM vulnerability is merely a vector used to get the machine to do 
just what your friend did. The executable will run just the same as if it 
was propagated by the worm itself. If he is fully patched, removing the 
file should be all that is required.

Jonathan Rickman
X Corps Security

More information about the list mailing list