[Dshield] msblast, local infection

Bruyere, Michel mbruyere at ezemcanada.com
Tue Aug 12 19:24:22 GMT 2003


Hi, 
	Thanks for the informations, i'll forward them to him. About the AV,
you raised a good point, i didn't asked him if he was AV protected and up 2
date... 

Thanks again! 

M.Bruyere



> -----Original Message-----
> From: Craig Shaw [mailto:CraigS at caamb.mb.ca]
> Sent: mardi 12 août 2003 15:05
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] msblast, local infection
> 
> If you download the nasty bits, then it doesn't matter if you've patched
or
> not, as the nasty bits only use DCom to get a foothold on the machine. If
a
> user downloads the nasty bits directly, there is no need for the DCom
> exploit. DCom was only the door to the system.
> 
> Update AV should have caught that though... maybe this is a new one /
> variant?
> 
> Craig Shaw
> Systems Administrator
> CAA Manitoba
> (204) 262-6035
> craigs at caamanitoba.com
> 
> 
> -----Original Message-----
> From: Bruyere, Michel [mailto:mbruyere at ezemcanada.com]
> Sent: 12-Aug-03 13:57
> To: 'General DShield Discussion List'
> Subject: [Dshield] msblast, local infection
> 
> Hi all,
> 		I've found someone who has been infected locally by the
> MSBLAST worm. By locally i mean he downloaded the msblast file from don't
> know where and when he tried to open it he did a mistake. Instead of right
> click the open with he choose open, so he got infected. Right there he
> disconnected his network cable to avoid propagation of the worm in the
lan.
> When he told me this story i asked him if he was "full patch" and he told
> me
> yes. I asked him to double check to be sure hes really patched (just to be
> sure it's not windows update that detect non-installed patches as
> installed)
> for this bug, still waiting his reply. So I would like to know if it's
> "normal" to be infected locally, even full patched? Or did someone else
got
> infected while full patched?
> 
> 
> Thanks for your input
> 
> NB.: i'll keep you posted as soon as i get confirmation of my friend if
> he's
> "really" full patched or if it wasn't.
> 
> 
> M.Bruyere
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list