Hello,

This is a quick heads-up to let you know that there have been
'sightings' of a new worm which seeks to exploit the latest
vulnerability in all versions of Windows.

More details here :

http://grc.com/default.htm
http://vil.nai.com/vil/content/v_100516.htm

Patch available here :

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Regards,

Paul Lynch

Um, I feel obligated to say that I still don't see evidence of a worm using
this RPC vulnerability just yet. Link #1 mentions increased scanning on
Netbios ports which could be caused by just about anything. Link #2 as far
as I can tell detects use of a scanning/exploit tool. Neither links show
any infections or even compromises, which makes me think this is not a worm.
Maybe it's an RPC worm, maybe it's not. Maybe the difference is academic,
but at this point I feel it more likely that this activity is either use of
scanning tools and/or something unrelated to the RPC exploit. The scanning
tools are being downloaded at a tremendous rate and no doubt being used.


[quoted text, click to view]
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp
[quoted text, click to view]

[quoted text, click to view]

I expect a second, more aggressive worm after this one since every day a
more-targets RPC exploit is released: first one had 3 targets, second one
5, then a 18 targets exploit appeared, and now I can see a 44 targets
exploit available around (Chinese, Japanese, Korean, English, German and
Mexican targets are vulnerable at now).

Also security research group unveiled this vulnerability reports they
founded a universal address that works with against win2k/XP machines,
without looking at SP level.

--

Alessandro Perilli
Security Consultant / Trainer

MCT - MCSE 2000 SECURITY - LINUX+
CCSI - CCSE 2000 - CCSE+ NG
CCNA - CIWP - CIWSA - CCA XP