Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1456 - 15 msgs
Date: Tue Feb 17 2004 - 12:18:15 CST
The patch for MS03-039 should stop a worm (e.g. Blaster) from spreading to
other hosts on your lan via RPC/Dcom.
It does nothing to stop infection of the local machine via (say) an IE
Given that the infected file is in the IE temp folder, this is highly
A quick google on "IE object vulnerability" will yield more than you
wanted to know, but the short version is that many such bugs have been
fixed in IE patches over the last few years, and many still have not.
Yes we had one laptop infected like this, within about 5 mins of first
connecting it to the net.
The admin who did this without checking the anti-virus status first has
Some would say you need anti-virus, anti-spyware, personal-firewall, IE
patches, and scripting turned off.
Others would say you need a different browser <g>
From: Ferris, Robin [mailto:R.Ferrisnapier.ac.uk]
Sent: 17 February 2004 14:59
Subject: [Full-Disclosure] exploit-dcomrpc.gen
a couple of quick questions, has any one else seen this infection recently
exploit-dcomrpc.gen, you would proably be using mcafee to see it detected
I what is odd is that these machines that are infected are patched with
ms03-007/026/039 was wondering if any one had seen this at all.
infection goes to c:\windows\system32\drivers\svchost.exe
infected file is in IE temp folder labelled as WksPatch.exe
Any info would be appreciated.
Full-Disclosure - We believe in it.