RE: MSBlast and other known exploits..

Sounds like the infection went off and damaged COM+ on the affected machines. This was a reported side effect when the vulnerability was first analyzed and tested. I can confirm this happening on a number of infected systems that I've worked with, and it appears that the TMSC patterns do wonders to restore the system to operation.

Id give a shot at simply cleaning the affected systems and seeing whether the problem clears up before pulling out the hose.

-----Original Message-----

From: Micheal Patterson [mailto:micheal@cancercare.net] Sent: Wednesday, August 13, 2003 8:45 AM To: incidents@securityfocus.com
Subject: MSBlast and other known exploits..

I've got reports of msblast infection that I've checked and they indeed do have msblast. Also, these systems all have what appears to be a corrupted control panel applet. The normal control panel shows up in a left hand frame and the contents of add/remove programs is missing. Also, various popup windows simply will not open. I've read that there was a known root kit that utilized the same dcom exploit called khat2 (spelling) but I'm not having much luck in locating the symptoms of systems that have been rooted in this manner. Any information would be appreciated. I will be recommending that these systems be blown away and reinstalled from clean media, I'm just looking for some info to verify what's eaten away at these things.

Thank you.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230


---------------------------------------------------------------------------


----------------------------------------------------------------------------



---------------------------------------------------------------------------


----------------------------------------------------------------------------