We got
smoked yesterday around 1:00. It was difficult to troubleshoot what was
going on because I couldn't figure out how it was replicating through the
network. Some machines had symptoms and others didn't (some machines had
patches applied). Our symptoms included problems with office, problems with
Exchange and problems with printing. It was pretty obvious around 4:00
that it was replicating all over the place. Once you've installed the
patch I think you still have to delete something from the registry to get the
computer from infecting other computers.
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OSYusuf,Check out some of the security vulnerability lists like full-disclosure, vulnwatch, vulndiscuss, etc. People are saying that since yesterday sometime, possibly the night before they have been seeing infections and have noticed a considerable increase in hits on their firewalls for RPC ports and other ports used by MSBLASTER. Also some of the other Microsoft MVP's have indicated that they have seen it in their sites as well. Check out http://isc.sans.org/images/port135percent.png at sans.org and note the huge spike in the number of sources and records. If you have a high number of records/targets but a relatively low number of sources, that is usually normal people or black hats scanning. If you have a high number of sources and records then that is usually a worm or virus.Additionally in the public newsgroups there have been several posts of people complaining of the symptoms of the worm such as why is my machine scanning netbios ports or why is my machine getting an rpc error and rebooting, etc.I haven't gotten to the office yet, but I am expecting that I will be hearing about infections today inside our intranet.joe--Joe Richards Microsoft MVP Windows Server / Active Directory-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y
Sent: Tuesday, August 12, 2003 8:02 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OSHi everyone
Curiosity has gotten the better of me and I wanted to know if anyone out there been affected by the virus that does the rpc call to the Operating system?
Your comments,
Yusuf
__________________________________________________________________________________________________________________________________For information about the Standard Bank group visit our web site <www.standardbank.co.za>
__________________________________________________________________________________________________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group.
It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group.
The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read,
disclose or use the content in any way.
Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.
___________________________________________________________________________________________________________________________________
