W32.Welchia is in the wild. I have a customer who found it on his home machine this morning. He is using Norton, which kindly informed him that it had no way to handle it...
G On or about 2003.09.25 10:57:12 +0000, Cael Abal ([EMAIL PROTECTED]) said: > >I'm thinking that there *has* to be a variant of Nachi/Welchia in the > >wild. We have machines that were patched for MS03-026 (verified by > >scanning with multiple scanners) but not patched for MS03-039 (ditto) > >and they have been infected by something that triggers my Nachi rule in > >snort. This should *not* be possible with the "original" Nachi/Welchia, > >so my assumption is that either something new has been released or the > >worm has mutated somehow. > > > >Mind you, this is anecdotal and a very small incidence (only three > >machines so far), but it still bears watching IMHO. I've been surprised > >to not see any discussion on the lists about a new variant. Perhaps no > >one is looking? > > Hi Paul, > > Did you use a third-party tool to verify the patches were actually > successfully installed on the infected machines, before detecting the > infection? > > Cael > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
