We have seen a number of infections of Nachi/Welchia on patched systems. Was told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3 chance of being infected. Apparently the MS03-039 patch fixes the entire vulnerability and not just some of it. We re-enforced the rule for keeping the anti-virus current, which stopped Nachi/Welchia worm (in most cases, not all).
Steve Carey -----Original Message----- From: Derek Vadala [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 2:44 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Probable new MS DCOM RPC worm for Windows > I'm thinking that there *has* to be a variant of Nachi/Welchia in the > wild. We have machines that were patched for MS03-026 (verified by > scanning with multiple scanners) but not patched for MS03-039 (ditto) > and they have been infected by something that triggers my Nachi rule in > snort. This should *not* be possible with the "original" Nachi/Welchia, > so my assumption is that either something new has been released or the > worm has mutated somehow. > > Mind you, this is anecdotal and a very small incidence (only three > machines so far), but it still bears watching IMHO. I've been surprised > to not see any discussion on the lists about a new variant. Perhaps no > one is looking? > > Paul Schmehl ([EMAIL PROTECTED]) We've seen the same thing over here. I've had a handful of machines (perhaps 15-20 out of 2500) here that were reported to be patched against MS03-026 yet became infected with Welchia. These machines were not patched against MS03-039. One possibility is that the systems were already infected with Welchia at the time they were patched against MS03-026. I know of at least one or two cases here where the technical support person assigned to fix a particular system didn't appropriately follow the removal procedures and left a patched, but infected, system. I have to assume this is happening without notice in other cases, since there haven't been reports of a variant, and the number of systems in this situation is rather low. So I'm betting user error, though I find it hard to believe there isn't another variant making the rounds. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
