I just received warning in a German security newsgroup that a new worm
makes use of the RPC DCOM vulnerability (whatever this is; my olde WinME
computer probably doesn't have this.

Link given is <http://isc.sans.org/diary.html?date=2003-08-11>

Keep your shares tight.


Gabriele Neukam

(E-Mail Removed)


--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.

What about different propagation vectors? For instance, if somebody
would run MSBlast.exe delivered via e-mail, would MSBlast.exe work the
same way?

More info about the worm:
http://www.neowin.net/comments.php?id=13295

http://securityresponse.symantec.com...ster.worm.html

http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

http://www.microsoft.com/technet/sec...n/MS03-026.asp


> I just received warning in a German security newsgroup that a new worm
> makes use of the RPC DCOM vulnerability (whatever this is; my olde WinME
> computer probably doesn't have this.
>
> Link given is http://isc.sans.org/diary.html?date=2003-08-11

Gabriele Neukam <(E-Mail Removed)> wrote in news:bh8t7d$7nt$00
$(E-Mail Removed):

>
> I just received warning in a German security newsgroup that a new worm
> makes use of the RPC DCOM vulnerability (whatever this is; my olde
WinME
> computer probably doesn't have this.
>
> Link given is <http://isc.sans.org/diary.html?date=2003-08-11>
>
> Keep your shares tight.
>
>
> Gabriele Neukam
>
> (E-Mail Removed)
>
>

http://www.usrbingeek.com/a/000482.php

You will notice the words in the link *All Windows O/S's* Win ME is just
a bad version of Win 98. And ME has DCOM on it like the Sun comes up in
the morning.


Duane

--
The protection of the machine is a process and not a given!

"totojepast" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> What about different propagation vectors? For instance, if somebody
> would run MSBlast.exe delivered via e-mail, would MSBlast.exe work the
> same way?

I don't see why not depending, on the platform. If MSBlast
is executed, it is an instance of the worm. The exploit is for
an automated download and execution vector only. It doesn't
mention a "programmed in" e-mail vector, but that doesn't
mean it can't be e-mailed/spammed (SE, trojan.downloader,
other exploits) by direct human action or web based exploit.

"Duane Arnold" <(E-Mail Removed)> wrote in message news:Xns93D4D5473819Bnotmenotmecom@204.127.204.17...
> Gabriele Neukam <(E-Mail Removed)> wrote in news:bh8t7d$7nt$00
> $(E-Mail Removed):
>
> >
> > I just received warning in a German security newsgroup that a new worm
> > makes use of the RPC DCOM vulnerability (whatever this is; my olde
> WinME
> > computer probably doesn't have this.
> >
> > Link given is <http://isc.sans.org/diary.html?date=2003-08-11>
> >
> > Keep your shares tight.
> >
> >
> > Gabriele Neukam
> >
> > (E-Mail Removed)
> >
> >
>
> http://www.usrbingeek.com/a/000482.php
>
> You will notice the words in the link *All Windows O/S's* Win ME is just
> a bad version of Win 98. And ME has DCOM on it like the Sun comes up in
> the morning.

There are many places on the internet that disagree with that assessment.

http://resnet.albany.edu/news/RPCvuln.html
http://www.jmu.edu/computing/securit.../dcombug.shtml

Even the Microsoft knowledge base states that WinME is not
affected. I don't suppose that means that you can't install this
vulnerability on WinME if you desired (A link you posted in
a previous thread indicated how to do so on Win9x and ME).

Microsoft should know what (default) platforms are affected,
after all ~ they wrote the vulnerability in the first place. ;o)

....but what Microsoft *should* know and what they *do*
know are often very different things.

Wrong again !

WinME is the *best*, and the last, of the Win9x family and is NOT affected by the
vulnerability.

DCOM has been around since Win95. The vulnerability *only* affects NT based OS's
(WinNT4, Win2K, WinXP, WinXP/64, Win2003 and Win2003/64).

http://www.microsoft.com/technet/tre...n/MS03-026.asp

Dave

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message newsVYZa.1791$(E-Mail Removed)...
> Wrong again !
>
> WinME is the *best*, and the last, of the Win9x family and is NOT affected by the
> vulnerability.
>
> DCOM has been around since Win95. The vulnerability *only* affects NT based OS's
> (WinNT4, Win2K, WinXP, WinXP/64, Win2003 and Win2003/64).

So, you can install RPC DCOM on the Win9x machines, but it is
a different animal than that used with the NT kernels?

"FromTheRafters" <!(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> "Duane Arnold" <(E-Mail Removed)> wrote in message
> news:Xns93D4D5473819Bnotmenotmecom@204.127.204.17...
>> Gabriele Neukam <(E-Mail Removed)> wrote in
>> news:bh8t7d$7nt$00 $(E-Mail Removed):
>>
>> >
>> > I just received warning in a German security newsgroup that a new
>> > worm makes use of the RPC DCOM vulnerability (whatever this is; my
>> > olde
>> WinME
>> > computer probably doesn't have this.
>> >
>> > Link given is <http://isc.sans.org/diary.html?date=2003-08-11>
>> >
>> > Keep your shares tight.
>> >
>> >
>> > Gabriele Neukam
>> >
>> > (E-Mail Removed)
>> >
>> >
>>
>> http://www.usrbingeek.com/a/000482.php
>>
>> You will notice the words in the link *All Windows O/S's* Win ME is
>> just a bad version of Win 98. And ME has DCOM on it like the Sun
>> comes up in the morning.
>
> There are many places on the internet that disagree with that
> assessment.
>
> http://resnet.albany.edu/news/RPCvuln.html
> http://www.jmu.edu/computing/securit.../dcombug.shtml
>
> Even the Microsoft knowledge base states that WinME is not
> affected. I don't suppose that means that you can't install this
> vulnerability on WinME if you desired (A link you posted in
> a previous thread indicated how to do so on Win9x and ME).
>
> Microsoft should know what (default) platforms are affected,
> after all ~ they wrote the vulnerability in the first place. ;o)
>
> ...but what Microsoft *should* know and what they *do*
> know are often very different things.
>
>
>

I have used DCOM on the Win 9'x, ME and NT O/S's. Accoriding to another
post, home user's may have it installed, including ME. I don't know why
but I guess it is possible.

And like we talked once before on a Win 9'x and the ME root based O/S's,
if it can be executed on the machine -- like a worm via email it can be
hooked-up.


Later!

Duane

--

The protection of the machine is a process and not a given!

"FromTheRafters" <!(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> newsVYZa.1791$(E-Mail Removed)...
>> Wrong again !
>>
>> WinME is the *best*, and the last, of the Win9x family and is NOT
>> affected by the vulnerability.
>>
>> DCOM has been around since Win95. The vulnerability *only* affects
>> NT based OS's (WinNT4, Win2K, WinXP, WinXP/64, Win2003 and
>> Win2003/64).
>
> So, you can install RPC DCOM on the Win9x machines, but it is
> a different animal than that used with the NT kernels?
>
>
>

http://www.microsoft.com/com/tech/dcom.asp

It allows a client machine to make calls to dll's setting on a
centralized server machine (it doesn't have to be a O/S server) -- a
workstation too. The dll's which are a library of program routines can be
business objects, database objects, etc. The client machines make calls
to the dll's through an exe that is on the client machine to do
processing. The point of failure is at one point instead of the dll's
being deployed to all machines (a fat client machine) as apposed to a
(thin client machine exe only). DOCOM allows the client machines to
connect to the server machine via TCP/IP to the server machine and share
the dll's.

Win 95 to NT machines can be setup to do this. Win 2k workstation can be
set with DCOM to go find a NT machine that is the server of the dll(s)
too. M$'s move towards centralized processing.

Now the move is towards Win 2K or XP Pro workstations COM+ and a COM+ O/S
Win2k server, Win 2k ADV or 2K3 server. It's the same thing just a
different tune.

Duane

--
The protection of the machine is a process and not a given!

In Message-ID:<3f384dfe.2098917@wildfang> posted on , Damn Straight
wrote:

>In Message-ID:<Xns93D4D5473819Bnotmenotmecom@204.127.204.17> posted on
>Tue, 12 Aug 2003 01:57:56 GMT, Duane Arnold wrote:
>
>>You will notice the words in the link *All Windows O/S's* Win ME is just
>>a bad version of Win 98. And ME has DCOM on it like the Sun comes up in
>>the morning.
>
>Try this link:
>http://www.microsoft.com/technet/sec...n/MS03-026.asp
>
>You will notice the words in the link:
>---begin---
>Not Affected Software:
>Microsoft Windows Millennium Edition
>---end---
>But then I guess the white hating, racist, Colin Ferguson wannabe,
>knows more than those folks at Microsoft.

Is that what the guy that calls him chimpy is implying?