Slashdot Mirror

W32.HLLW.BYMER

This virus installed the distributed.net client on networks using open NetBIOS shares. It even had the owner's e-mail address in it..

(Symantec), the clothes are not strict. In fact, it feels like a dotcom in a corporation. Management doesn't really care as long as employees and contractors work long hours. :)

I haven't found anything on Symantec's site on this, but I did find McAfee's page Here

And the removal instructions

Google has a newsgroup post on the sucker

And here are some sample infection URLS for those who wish to catch the sucker or download the files for analysis:

Infect Me 1

Infect Me 2

A similar worm is described by Symantec here

It works in IE, but not Phoenix (Mozilla based browser)

You have to download the installer and the MSI file, which takes a while.

I went so far as to download the files, but didn't go past the first EULA to see the really bad one that's supposed to come during the second install, so I didn't see the text in a live install myself, just in the McAfee
writeup.

So I downloaded the Microsoft Installer SDK and decided to crack open the MSI install file. Accroding to Servant Salamander, the word "Outlook" was in "Friend Greetings.msi."

Then I decided, "To hell with it, it's in there as clear text anyway" and opened the install File with VIM. Here is the offending text:

1. Consent to E-Mail Your Contacts. As part of the installation process,
Permissioned Media will access your MicroSoft Outlook(r) Contacts list and
send an e-mail to persons on your Contacts list inviting them to download
FriendGreetings or related products. By downloading, installing,accessing
or using the FriendGreetings, you authorize Permissioned Media to access
your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail
message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS
YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO
NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

If anyone is interested, I'll e-mail out both EULAs. There's some rude stuff in there. (You agree to receive pop-up and pop-under ads and HTML e-mail for example)

Below is the original e-mail from Cheryl, for the sake of reference and forwarding:

--- Forwarded Message Follows-----
FYI...

It's not so much a virus as it is a potential worm. And it's an interesting one at that because it's a "permissive" worm. It banks on the fact that people install products without reading their EULAs. If you read the EULA they include, it specifically says that by accepting the EULA, you are giving them permission to send email to everyone in your MS Outlook Contact list!!!!! (I included the pics they sent us, but I'm not sure how many of you will actually see them).

Pretty fascinating, actually. And smart. Because people don't read EULAs! (Er, for Dad: EULA is "End User License Agreement" - and I'm guessing you and Steve read them because you are lawyers... ;) )

Ilene

-----Original Message-----
From: Kronos Norton AntiVirus
Sent: Friday, October 25, 2002 10:51 AM
To: All Kronos Employees
Subject: Please read about a potential virus....
Importance: High

Potential virus as a Greeting Card ~ Please be aware of this
potential threat via a web link.

Friendgreetings

iscovered on: October 24, 2002
Last Updated on: October 24, 2002 03:20:23 PM PDT
Symantec Security Response is aware of a widespread E-card which appears to have the characteristics of a worm. Security Response does not classify this as a malicious threat and as such will not detect any files associated with the E-card. The installation of software associated with the E-card requires the user's permission in order to perform it's mass-mailing capabilities. By cancelling the installation of the software, no worm-like activities will be performed. The recipient would recieve an email with the following characteristics:

Subject: %recipient% you have an E-Card from %sender%.
Message:
Greetings!

%sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link below.

http://www.friendgreetings.com/pickup/pickup.asp x? <extra contentremoved>

Message:
%recipient%
I sent you a greeting card. Please pick it up.
%sender%

When the link is followed, the recipient is asked to download some software in order to view the E-card.

The installer package will require the user to accept 2 End User License Agreements in order to complete the installation. The second EULA (see below) explicitly states that by accepting the agreement the end user is authorizing the software to send an email to all contacts in the Microsoft Outlook Contacts List. The email is formatted as displayed above.

If this agreement is not accepted, the installation is not complete and the software will not send a link to the www.friendgreetings.com website via email.

Anyone think that this may be related to the Linux.Slapper worm that was reported last month?

I suppose this could be a coincidence that slapper was so widely spread and had DDOS code in it, too.

They could quit referring to Outlook viruses like Klez and SirCam and ILOVEYOU...

Klez is not an "Outlook Virus" it can be executed in any Windows-based e-mail program.

Sircam is not an "Outlook Virus" it contains it's own SMTP engine and harvests its addresses from various files (such as .HTM) on the victim's hard drive.

VBS.LoveLetter does spread using the Outlook address book, though it can also spread via mIRC (though curiously I never hear it referred to as a "mIRC Virus").

I absolutely agree that we should strive for accurate information.

-Coach-

They could quit referring to Outlook viruses like Klez and SirCam and ILOVEYOU...

Klez is not an "Outlook Virus" it can be executed in any Windows-based e-mail program.

Sircam is not an "Outlook Virus" it contains it's own SMTP engine and harvests its addresses from various files (such as .HTM) on the victim's hard drive.

VBS.LoveLetter does spread using the Outlook address book, though it can also spread via mIRC (though curiously I never hear it referred to as a "mIRC Virus").

I absolutely agree that we should strive for accurate information.

-Coach-

They could quit referring to Outlook viruses like Klez and SirCam and ILOVEYOU...

Klez is not an "Outlook Virus" it can be executed in any Windows-based e-mail program.

Sircam is not an "Outlook Virus" it contains it's own SMTP engine and harvests its addresses from various files (such as .HTM) on the victim's hard drive.

VBS.LoveLetter does spread using the Outlook address book, though it can also spread via mIRC (though curiously I never hear it referred to as a "mIRC Virus").

I absolutely agree that we should strive for accurate information.

-Coach-

Most viruses are named for some identifying comment in their source code (Klez), or for one of their characteristics (Loveletter).

1. Bugbear actually uses one of forty different subject lines. It also sometimes throws in some random data, just for fun.
2. Bugbear is a descendant of Badtrans, a nasty but not particularly widespread virus from earlier this year. The keystroke logger seems to have been borrowed bit-for-bit (at least in the copy I isolated and analysed).

• uses the Iframe and MIME type vulnerabilities in IE.
• attempts to disable your anti-virus program, if you have one.
• starts a keylogger.
• steals your passwords, if you're running Windows 9x/ME.
• opens port 36794 allowing someone to mess with your system

More information and a removal tool:

Symantec Security Response

Klez did this as well. Also, Melissa turned off Word's security protection.

It's pretty impressive that this virus disables anti-virus software, and covers quite a large list of AV/Firewall programs.

tech details

Have any other virii in the past done this, or is this a first?

Get it here

This has to be the first case of I've heard of where an employer has accused the employee of an already known virus. Hell, I was cleaning this crap out of users computers for quite a while myself. While I could easily believe this guy is clueless, I also can also make an educated guess that this guy is pissed off at you on a personal level. What'd you do? Shit in his Wheaties? All you have to do is hit the Norton Anti-Virus Homepage for Klez. Of course, this isn't going to stop him from pursecuting you for the real and/or imagined wrong that led up to this (he'll find other shit to throw at you in otherwords), but unless he can prove you're the origin of the epicenter of the worlds entire Klez infection, he's another one of those Mofo's trying to skate uphill.

"Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected."

source

here ya go ...

Is this like ghosting an existing configuration? If so I have never seen a ghost image take weeks.

How do you tell it what you want on the system? Set up an initial system and then copy it?

Who makes the configuration decisions that are normally made during a manual install?

What software takes weeks to install?

Why did I let this stupid, impractical, fact-lean marketing ploy make me late for dinner?

Is this like ghosting an existing configuration? If so I have never seen a ghost image take weeks.

How do you tell it what you want on the system? Set up an initial system and then copy it?

Who makes the configuration decisions that are normally made during a manual install?

What software takes weeks to install?

Why did I let this stupid, impractical, fact-lean marketing ploy make me late for dinner?

If you have a virus threat problem, I assume that you are connected to an external (out of your control) network. If this network happens to be the internet (most likely), just try Symantec's Security Check. It scans for viruses over the net (with a bit of ActiveX magic... It seems that M$ security misses can be useful sometimes ;-P)

Since the scanner can also be run manually, you could install updated definitions on a floppy disk with the tab set.

That's just off the top of my head; I'm sure The Best Friend Of The WWW could render gallons more assistance.

The BBC and News.com reports. News.com in depth multi page thang.

This looks like it was compiled after extensive consultations with commercial inter^w^w leading experts. The
recommendations appear to boil down to "1. Use Symantec[tm] and Network Associates[tm] Products;
2. Encourage commercial software more secure, then sell it to *everyone*;
3. Train more experts". Am I too cynical, or are they missing
"4. Profit!" ? (Symantec and NAI are apparently doing product
releases to cash in?!) Where does Free software figure in these expert
recommendations? Oh, and privacy concerns have been quietly shelved.

Although... perhaps the news that BGP (the Internet's backbone routing
protocol) has vulnerabilities is news outside NANOG-l?

Note the key difference: you were recording from ${publicly available source} for your own personal use - Legal; You distribute copies of the recording - Illegal.

This holds true for cassette tapes as much as for digital piracy (mp3s). In fact this battle was first had when Sony,etc, introduced the tapes: their function (and the reason they were not immediately withdrawn from public sale) was to allow you to record programmes for your own private usage, or to allow you to record yourself (your own intellectual property which you are free to distribute).

Software is just like Music: someone took the time to create it so you could be happy with it. Just because there are some bands who make music freely available, doesn't mean that you can expect all music to be free. Just because there are some developers who make software freely available, doesn't mean that you can expect all software to be free.

What about Symantec Ghost(TM) Corporate Edition 7.5

From the Symantec Ghost central management console, IT managers can remotely clone any Windows NT or Windows 2000 workstation. The console can also be used to quickly deploy whole application packages or specific PC changes such as registry changes or desktop settings as well as to migrate user "personalities" including PC settings and data.

A product designed and marketed as a software copying tool
Seems like they also sell software...

Many libraries loan software. Just like videos and audio, some libraries charge for the service, while others are government funded.

There are no new lessons here. This is not the first worm for Linux. It is not the first DDoS architecture for Linux. Nor does CNET's estimation of 3,500 infected machines match its Code Red estimations that have floated from "...more than 15,000..." to "...more than 350,000...".

It would seem anybody who is finding something insightful in this story are either a Linux or Windows zealot, brand new to the argument, or very poor students of recent history. Granted - "recent" becomes is somewhat subjective. So let's take a brief look at past DDoS applications and Linux worms.

Distributed Denial of Service (DDoS) architectures began hitting the Industry consciousness late 1999. At that time it was trin00 and TFN. Shortly afterward, new versions showed up in the wild including TFN2K and Stacheldraht. All can be run on Linux. Although they are not, themselves, worms.

Linux worms are not new... nor are they ancient history. There are some excellent examples from a little over a year ago. One of the first worms from 2001 was the Ramen Worm and was reported by CNET January 17, 2001. Of course, CNET's article didn't have impressive numbers to report but it did liken it to the infamous 1998 Morris Worm. The Ramen Worm was followed by a less-famous variation called Adore and it also garnered CNET coverage April 4, 2001. But it wasn't too interesting a worm. It had been overshadowed by a worm reported the previous month dubed Lion. The Lion worm also got its own CNET coverage.

In each case, the worm in question used well-known security flaws with existing patches.

If one wants to point out that any OS is vulnerable if it is not properly maintained, then this latest worm is simply one of a series of worms that have proved this point. And worms have made object lessons of Linux, Windows, and other popular OS variants such as Solaris (sadmind/IIS being my favorite as it propagates on Solaris machines and then attacks and defaces IIS web sites).

There are no new lessons here. This is not the first worm for Linux. It is not the first DDoS architecture for Linux. Nor does CNET's estimation of 3,500 infected machines match its Code Red estimations that have floated from "...more than 15,000..." to "...more than 350,000...".

It would seem anybody who is finding something insightful in this story are either a Linux or Windows zealot, brand new to the argument, or very poor students of recent history. Granted - "recent" becomes is somewhat subjective. So let's take a brief look at past DDoS applications and Linux worms.

Distributed Denial of Service (DDoS) architectures began hitting the Industry consciousness late 1999. At that time it was trin00 and TFN. Shortly afterward, new versions showed up in the wild including TFN2K and Stacheldraht. All can be run on Linux. Although they are not, themselves, worms.

Linux worms are not new... nor are they ancient history. There are some excellent examples from a little over a year ago. One of the first worms from 2001 was the Ramen Worm and was reported by CNET January 17, 2001. Of course, CNET's article didn't have impressive numbers to report but it did liken it to the infamous 1998 Morris Worm. The Ramen Worm was followed by a less-famous variation called Adore and it also garnered CNET coverage April 4, 2001. But it wasn't too interesting a worm. It had been overshadowed by a worm reported the previous month dubed Lion. The Lion worm also got its own CNET coverage.

In each case, the worm in question used well-known security flaws with existing patches.

If one wants to point out that any OS is vulnerable if it is not properly maintained, then this latest worm is simply one of a series of worms that have proved this point. And worms have made object lessons of Linux, Windows, and other popular OS variants such as Solaris (sadmind/IIS being my favorite as it propagates on Solaris machines and then attacks and defaces IIS web sites).

security/Content/2002.09.13.html

If you are running Apache, then the worm will identify you as a potential target. Because you are not running OpenSSL it can not execute the vulnerability on your machine. So you are safe from the worm infecting your machine. Just be prepared for more scanning as a few infected machines identify you as a potential target.

Symantec AntiVirus Command Line Scanner 1.0

Mod parent down. Just because Mr Baker is too lazy or ignorant to find this: http://enterprisesecurity.symantec.com/products/pr oducts.cfm?productID=65
hardly seems to mean his post is in the least insightful.

Finally
Linux can compete with Microsoft.

Sorry but Linux is extreemely poor comptetition in this area .. If you read the Symantec alert you will notice that :
"At this time over 350 computers have been observed performing this activity, "

"350" computers, that's not a competition, that's a joke !

And note that Symantec has a history of beeing anti-Linux in their Advisories.

You mean you couldn't find this program:
Symantec AntiVirus Command Line Scanner 1.0?

According to the Symantec report cited in the story, the bug in openssl is this which is reported as RHSA-2002-155, for which the the fix is openssl-0.9.6b-24.i386.rpm for RedHat 7.3 i386 (plus some other RPMs for other versions, or other RPMS for other versions of RedHat). Maybe the 'g' build from openssh.org is necessary, but RedHat seems to think they've already fixed in in their "b-24" release.

If you already own Microsoft's Outlook then you have a copy of WinFax Lite on your computer. You can receive faxes directly into Outlook using this product. If you don't already own that product, or you prefer something a little bit more robust then you can snag a copy of WinFax PRO 10.0 from Symantec for a MSRP of $99.95. Also, if you don't have a modem then a cheap Lucent-based controller-less "Winmodem" will set you back about $10 - $15. Drivers are available for Linux, too. I'm not sure what program you might use in Linux. I haven't really tried to mess with faxing in that operating system. All prices are in United States dollars.

There is a virus like the one you mention. I had an incident with the FunLove virus last year. Good fun.

If you uploaded a file to the AS/400 via FTP, I believe that it creates a physical file (PF). A physical file contains records and fields, but I can't remember if the physical file it created had one gigantic record with all the data in it or if it came up with some size for each record like 65000 bytes (anybody know?). If I intended to upload something I was going to use as a database (which I always did, because the 400 made for an expensive fileserver) I'd make sure the data was in a fixed width format before uploading, create the physical file on the AS/400 first (record layout), then upload the file 'over' the physical file. Downloading a physical file gets you the database back in fixed-width format as well, IIRC.

Also interesting is the way the AS/400 (library) filesystem organizes things (disregarding the Integrated File System because I don't want to make this post longer). 'Libraries' function pretty much as directories, except that you can't nest them and there is no root 'library'. So if I was to refer to file 'FIL' I could call it 'FIL' (in which case it would be pulled from my current library) or 'BLASTER/FIL' (library 'BLASTER', file 'FIL').

Physical files on an AS/400 also have things called 'members'. These are somewhat analogous to streams under NTFS (which nobody uses). Any physical file with data in it has at least one member. Members are used to allow you to store multiple sets of records in the same file -- query the first member in the file and you're working with one set of data; query the second member and you're working with another set entirely. I confess that I am not elite enough to come up with an example where I actually defined a physical file with more than one member in it outside of experimentation.

However, I can come up with a real-world example of where they are in common use. Source code on an AS/400 is stored in a special physical file called a 'Source Physical File' (type SRCPF). Let's say that I just wrote a program (TESTPGM) in RPG/400. This program is stored in a source physical file in my library (BLASTER/BLASTER) as a member (TESTPGM). Each record in the member is a line of source code, date the line was created/changed, and a sequence number. Fortunately, if I want to grab a program from this mess using FTP I can do a 'get BLASTER/BLASTER.TESTPGM', and uploading worked similarly.

My guess is that Microsoft would implement this with a little less rigidity. IBM's interpretation probably allows them to optimize things quite well, but does make some standard file operations tricky.

According to Norton 2002
The celebphoto site actually has a javascript virus called
the "JS. Exception" which tries to exploit an unpatched Internet Explorer vunerability, before clicking , if you are using an old IE (or you are using an unpatched IE) things will get messy for you, and if you have permission get updated NOW

They also acquired Recourse Technologies and Riptech. Symantec corporate

A couple weeks ago, I ran across a simular product by Symantec. We are currently running it in our office, and it works great. Firewall works good, was easy to configure. It is also capable of VPN tunnels.

The 100 model runs for $365.84 but could probly find it cheaper than that.

Actually, it also tries to copy itself to any active network shares and opens your "Guest" account on Windows (should it have one) to administration level access, with no password, as well as random emails to people you know (or may not even know)

For more information

I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E or even a McAfee homebrew bug, instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.

Ghost 6+ have utilities to create ghost disks for you. Really easy to use, and you can use it to create Network Share Access, Multicast, CD-ROM, CD-RW (Write, and Read)... "Ghost Boot Wizard" Check it out. :)

Common sense is invaluable for many things, but protecting from virii isn't one of them.

Only downloading from trustworthy sites is a sensible idea, however I discovered the Tristate office virus in an excel-based price list from a little-known untrustworthy company by the name of Dell.

I do try and use my common sense in my browsing and email activities, and I do back up my data (perhaps not quite as often as I should) but I do still rest easy thanks to my AV software, which stops around a dozen virii a week right now.

Do you really think that the moms and pops out there update their software??? The only time their software gets updates is when I do it. I'd bet there are millions of people out there with 2 year old Outlooks.

Regarding W32.Klez.E@mm. You don't have to open the attachment, you just have to open the message. So it says here (third paragraph).

If "Show Preview Pane" is checked (don't know if it's the default), an Outlook virus can run.

Yes it is the default. And there has been a patch for this available FOR TWO YEARS!!!

I'm hardly a M$ apologist but it just drives me up the friggin' wall everytime someone brings this up. TWO YEARS here people. In fact, when installing MS Office, VB Scripting support is an optional component, though it is selected on by default.

With W32.Klez.E@mm, the message itself, and not the attachment, causes the infection

Sorry, but that's just as silly as claiming that jpeg's are able to execute code. And just as incorrect. From SARC

Distribution:

* Subject of email: Random subject
* Name of attachment: Randomly named file with .bat, .exe, .pif or .scr extension

No, it would appear that the klez variants are simply exploiting the same unplugged holes that all the others do. Nothing remarkable to see here, folks.

The truth of the matter, is that while Microsoft has (admittedly) made some shockingly unsecure products, the greatest danger to security on their systems is just this: The lack of common sense and technical savvy of their userbase. You can plug all the holes you want, but if no one even knows that they're even supposed to patch their systems from time to time, then all that work is done for nothing.

Case in point, I was visiting my mother the other day who was having some problem with her Win98 machine (I forget what). Anyway, while I was there, I ran Windows Update and a few other things. There were a total of 18MB of patches she had not applied. Some of these dated back more than a year! She obviously had no clue that it was even necessary to patch it from time to time.

This is their biggest hurdle, and isn't one easily overcome as frankly, M$ rather relies on non-technically savvy people buying their software. I know I have a choice, but most folks just buy from OEMs and take what it comes with. They're tossed into the fold with a brand new (unsecure) Windows machine and it's never updated once after purchase ...

I remember a couple of years ago, there was a guy named Aaron Ardiri who created a Game Boy emulator called Liberty for the Palm OS. Since the program was shareware, some unscrupulous people were looking for the crack. Ardiri released a program called "LibertyCrack" into the wild. This program caused all the data on one's device to be erased, and caused Ardiri to get into a lot of hot water.

This program, despite the fact that it did not replicate itself, was quickly branded a "virus." Symantec even released Symantec Anti-Virus for Palm 2001. Essentially, unsuspecting IT managers were duped into buying a program that would... check if LibertyCrack is installed and delete it if so.

Anti-Virus marketers will never stop at a change to make big bucks. Remember the Michelangelo virus scare? People who didn't even have modems were paranoid that they could be infected.

Linux and the Smile.D Virus keeps us Smiling

That pun would work better if it was actually called the Smile.D Virus.

Symantec and ZDNet appear to call it Simile.D.

Keep in mind that companies like Symantec would LOVE to exploit this and include the following bullet-point on their next Win32 utility: "STOPS GOPHER PROTOCOL HACKERS!"
Their solution: Turn off browsers gopher protocol.
.10 solution, $100 SOUNDBYTE!

>If his thin client catches on fire, it takes like 5 minutes to restore it.

If a workstation sets on fire, you replace it with a backup workstation, pop in a ghost boot disk, and wait for the image to download (could be anything from 5 minutes to 10 hours depending on how crappy your network is :).

>If you need help on an application, just take your smartcard to your co-workers desk and ask him to look at it

In a company with standard software in the ghost images (which is how any company with more than a handful of computers should be managing the software on their workstations) all the computers have the same basic software. No need for smartcards.

>And from an admin point, I just finished patching 20 boxes for known security holes. Wouldn't it be great to just patch one server?

Seriously, take a look into Symantec Ghost and Zenworks. They'll save you so much time you'll hardly believe it!

One image can serve for hundreds of computers. When you patch a computer all you'll need to do is update the image once (so that new ghost installs already have the fix) and push the upgrade onto clients with Zenworks.

That's going to take you about the same amount of time as patching the server and testing it with a few clients.

If you're worried about people saving their work onto their harddrives, tell them the harddrives are cleaned automatically every login (a little popup box that says its doing this will work wonders for re-inforcement) and that anything you want to keep for more than that session must be saved to the network drive.

Software like DeepFreeze can not only stop 90% of workers screwing up their systems by installing crappy software, but it will also enforce your "don't save to the hard drive" policy. The other 10% who are smart enough to work around DeepFreeze are smart enough to listen to your "don't save to the hard drive" policy because they've seen you ghost machines, and they've seen hard drives crash.

BTW: Bob takes more care of his computer when he knows that if it breaks he doesn't have a computer until its repaired!

If your company requires Unix, a little work with NIS and NFS could do wonders (and ghost will still work, although there's always dd if you're desparate)...

No crossingover to this platform

Hmmm... you must have some sort of "Super Mac" or something because most other Macinstosh seem to be vulnerable. Hmmm... I guess you won't be needing this.

Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid" as opposed to SQLsnake.

Klez can also drop a nice little bugger known as W32.ElKern.3326. This one took down the machine running our security system last weekend. 20 months gaol is too good for those bastards! Any period of prison is too good ... I say death by being repeatedly poked with retractable pencils!

okay, according to Smyantec, this is the vulnerablity that the worm exploits. It's dated March 2001.M

Furthermore, the other technote/patch you reference is dated may 2001. Either way, the patch has been out for a while. I agree with you, I think they've done about everything they can to get people to patch. Hell, they have enough trouble to get supposed system administrators to patch their damn web servers (code red, Nimida anyone? Both eploited holes that already had patches available).

In XP, they have a setting you can turn on to basically download the patches automatically (I'm speaking second-hand here because I haven't used XP, so I may have this wrong), but my father-in-law said he turned it off because it "screwed up his computer"! Oh well.