Hosting Provided By

RE: MSBLASTER Infecting despite 03-026 patch?

From: Jonathan Bloomquist <bocasolutions(at)yahoo.com>
Date: Wed Aug 13 2003 - 13:12:58 EDT

I have been using the Retina DCOM scanner and it is working very well. After patching some systems, they still scanned as vulnerable. On NT, we were using the presence of the registry key
HKLM\Software\Microsoft\Windows NT\Current Version\Hotfix\Q823980 to verify that the workstations were patched, but I found a workstation that had the registry key, but still scanned as vulnerable.

Apparently something interfered with the installation before the .dlls or .exe could be loaded but after the registry key was created. Repatching the affected systems fixed them.

This seemed to happen on workstations that were not up to service pack 6a. The hotfix would terminate and the user would reboot without noticing the error.

Marc Maiffret <marc@eeye.com> wrote:
> I cant speak for the other tools but Retina's latest

> | ---
> |
>

> | ----
> |
> |
> |
>

> | ---------
> |
>

> | ----------
> |
> |
>
>
>

>

>
>
>

Jonathan Bloomquist, CISSP

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

Received on Wed Aug 13 20:59:37 2003

This message: [ Message body ]
Next message: David Vincent: "new msblaster on the loose?"
Previous message: steve(at)uk.intasys.com: "Tools for monitoring port scans / connection attmempts?"
In reply to Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Joe Blatz: "RE: MSBLASTER Infecting despite 03-026 patch?"
Reply: Joe Blatz: "RE: MSBLASTER Infecting despite 03-026 patch?"
Reply: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:16 EDT