[unisog] MSBlast and McAfee AV

Anderson Johnston andy at umbc.edu
Tue Aug 12 19:07:00 GMT 2003


We've been finding XPs with the msblast.exe executable installed, but
without the HKLM\...\CurrentVersion\Run registry entry that re-starts it
on re-boot.


An article in ZDNet:
	http://zdnet.com.com/2100-1105_2-5062524.html
suggests that the executable, msblast.exe, runs tftp on a compromised
system to download a copy of the worm (itself?). It then sets the registry
key.  We are now wondering if msblast.exe gets installed (copied) from the
attacking system and then tries to set the registry key.  If something
(McAfee?) interferes with the process, msblast.exe might get installed but
the registry never changed, giving us the symptoms we see now.

					- andy


On Tue, 12 Aug 2003, Anderson Johnston wrote:

>
> Anybody else using McAfee out there?  Update 4284 is supposed to detect
> MSBlast and we can't seem to get it to do so.
>
> 						- andy
>
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------





More information about the unisog mailing list