Windows Virus Takes Out Gov't Agencies in MD, PA

Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.

Newsflash!

[ackthpt]

Government officials for the first time discover computers infected with Windows.

C'mon, this is getting so old ... but I guess that's the really pity, isn't it? Gives cities like Munich the last laugh.

People should start taking note

The person who created this worm did so to show that Microsoft's software was insecure. Their methods are bad, but they've shown that no matter how good WinXP sounds compared with Win9.x, it is still made by Microsoft. If you don't want this kind of rubbish, don't use Microsoft.

Re:People should start taking note

blah blah, if anything they are showing how many people use MS products.

There could be this kind of problem w/Linux but no one would ever know because a) Linux/Unix users are more clueful than Windows users and b) there are FAR fewer Linux/Unix machines out there.

Blah blah, don't use MS, blah blah. That's just not an option for 90% of the world.

Re:People should start taking note

[wwest4]

you're assuming too much about their intentions. based on the maturity level apparent in the strings in the executable, i'd say that anti-ms bashing and ostensibly noble intentions are just a convenient excuse for script-kiddie vandalism.

if it weren't, they'd post an exploit in a public forum and/or notify ms, not write a worm and release it into the wild.

i'm personally annoyed at all of the extra work this fscking thing cost me today - never mind that both my ISPs seem to be slower than shit and my iptables log grew 10 megs this week.

to the author - grow up and put a grey or white hat on if you want to play with the rest of us.

Re:People should start taking note

[ahodgson]

Of course it's an option. Hell, it's free.

Re:People should start taking note

[bninja_penguin]

Blah blah, don't use MS, blah blah. That's just not an option for 90% of the world.

WTF??? Is 90% of the world running Autocad? As far as I know, thats about the only thing that's really stuck to running on Windows (of software available to the general public.) Even MS Office can run fine on an alternative platform (Macintosh.)
Also, 90% means nine out of ten. So, what you are saying, when you say That's just not an option for 90% of the world , is that nine out of ten aboriginals or rain forest indians have no option but to use MS? Good God, man, I'm not even sure that nine out of ten people in the world have electriciy or running water. So, before you start spouting off about "options for 90% of the world", how about you tone that down to what you really mean, and say,
"Blah blah, don't use MS, blah blah. That's just not an option for 90% of the anonymous cowards who post to /."!!!

Re:People should start taking note

[Kenja]

You have it wrong.

Most people = Windows Users.
Kenja = Geek with Windows, SGI, Solaris and Linux boxes.

However, Kenja can see the limitations of Linux and not worry about them. Most /. users seem unable to come to terms with the fact that Linux is a poor choice for most people. Countless times I've been attacked for not using Linux for a task Linux cannot perform.

Re:People should start taking note

[IM6100]

It was all listed up there earlier in the thread:

I've yet to find a good Architectural and/or Land Development CADD program for Mac or Linux. Nor Noise simulation modules, Motorola propegation simulators, Hydrology simulations, or many more of the specialized software we use for buidling design, airport/runway design, emergancy system management, wireless design, air quality analysis, or any of the other stuff we do at my company.

There isn't a heck of a lot of good engineering design software for Linux. There never will be in the form of Open Source. It's software that costs $2-30,000 per seat. You know, software for grownups, not dilletantes who browse the web and 'admin' common commodity tasks like web servers. We can't all just sell stuff and/or present it for sale. Somebody has to design it.

Re:People should start taking note

[minus9]

Yes obviously Linux will be solely used by hobbyists until there are more Motorola propegation simulators, it makes much more sense now.

Re:People should start taking note

[dash2]

90% of the world don't run autocad, but 90% of computer users probably do run at least one specialist program for which there is not an open source replacement with equivalent functionality. Open source has great programming languages, great databases, a great webserver; fine web browsers,email programs, text editors and other general purpose stuff; two excellent desktop environments; fine IDEs; but music programs, artistic applications and so forth are not yet at the level of their closed source replacements. Nor can you get a CD at the newsagent, plug it into Linux and be sure it will run.

The solution? We should all donate to WINE. When Windows programs run without problems on Linux, we'll have full interoperability and be ready to take the world over.

Re:People should start taking note

[Stiletto]

Don't apologise for stupid users either.

The current Windows virus problem boils down to three parties, equally at fault: The virus writer for writing the virus, the users for running the virus, and Microsoft for allowing viruses to be possible in the first place.

Don't try to paint users as helpless victims, as many of them are complete idiots and doing their best to make the problem worse.

Re:People should start taking note

[Amorpheus_MMS]

If you don't want this kind of rubbish, keep the system updated. That goes for any operating system, and MS even makes it easy.

This will be a lesson to qute a few people.

Want to see the code?

[westyvw]

DSL reports has a security forum that has been taking this sucker apart and giving us the code:

have a look:

http://www.dslreports.com/forum/remark,7649146~r oo t=security,1~mode=flat

Re:Want to see the code?

[westyvw]

My bad :
Here is the forum that matters:

http://www.dslreports.com/forum/remark,7652257~r oo t=security,1~m

Re:Want to see the code?

[nacturation]

At least learn to use HTML for easy clickability. Create your link like this:

<a href="http://www.dslreports.com/forum/remark,76522 57~root=security,1~mode=flat">link to the article</a>

Which will come out like this:

link to the article

Best news all day

[raider_red]

Bringing down the DMV may be the best use anyone's ever found for a virus.

Re: Best news all day

[Black+Parrot]

> Bringing down the DMV may be the best use anyone's ever found for a virus.

Yeah, everyone's always complaining that the lines aren't slow enough already.

We Got Hit

[Snoopy77]

We discovered we got hit when our Sonicwall connections hit the limit every 10 minutes. It took us two tries to clean it all up.

And who was it who brought it into the office? The CEO. He thought he had a virus but connected to the network anyway. Mod that funny if you will but try being part of our network support team.

Re:We Got Hit

[Kenja]

I keep 13 inches of sharp folded steel in a glass case above my desk with a sign that reads "break in the event of user error". I never have those kind of problems.

Re:We Got Hit

[PetoskeyGuy]

Preaching to the choir.

I remember the Klez virus kept infecting our system. I put antivirus on all the machines and wiped and cleaned them several times. Still my boss had his computer go down several times and started to suggest I was incompetent.

Turns out he got a fake email on his AOL account with the virus attached from a potential client who he has been trying to sell to for a long time. He loaded the virus from his laptop and ignored and disabled the antivirus warnings desperately trying to see what this guy was sending him. For those that don't know, Klez emails itself to any email addresses it can find.

Problem finally solved. I was not mention this matter to anyone else. Yeah Right. :)

Re:We Got Hit

[larien]

ignored and disabled the antivirus warnings

Ah, there's your problem; you let users disable AV software. AV software should be mandatory and it should immediately and automatically clean and/or quarantine all suspicious files without allowing anything less than and administrator to override it. Make it part of company IT policy and wave it in front of anyone who complains.

Like it or not, Windows systems need a solid antivirus policy in place; even if you filter at the firewall/mail gateway/web proxy, viruses will still find a way into your network.

Windows rules.....

[scottp]

Good ole, trustworthy, reliable, secure, best OS, Winblows.....how can it still remain on 90%+ of PC's? That should be on unsolved mysteries.....

Thanks, Microsoft!

[imag0]

Looks like viruses like this may help speed adoption on alternate operating systems (like linux, OSX, et. al) on the desktop quicker than a dozen ESR's with geek infantry in tow.

Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...

Thanks again, Bill!

Re:Thanks, Microsoft!

[Juanvaldes]

and how many switched after Code Red? ILoveYou? the countless others? Those who got inffected either had someone take care of it or just reinstalled the system. This is what they are trained to do and expect it with computers.

Re:Thanks, Microsoft!

[bfree]

The point is not what OS would be the target if Linux held 90% of the desktops, it is what would be the target if the OS market looked like:

1. Windows 9x: 10%
2. Windows XP: 20%
3. Mac OS 9: 5%
4. Mac OS X: 10%
5. Red Hat: 15%
6. SuSE: 15%
7. Debian: 5%
8. Mandrake: 10%
9. *BSD: 5%
10. Others: 5%

What would people target? Probably IOS until it suffered the same fate and saw it's dominance split. Then anyone wanting to wreak havoc would have to accept the fact that they can't or do some amazing things to find cross platform targets (i.e. common flaws in java runtimes or multi-platform binaries). You wouldn't even really be able to target the Linux 45% I have above very well as each system would have it's own software versions and policies which would make finding common exploits very difficult. Diversity is key here!

Re:Thanks, Microsoft!

[peripatetic_bum]

Actually, For everyone who thinks this is good thing for linux, think again.

What if Microsoft says "See what happens when we don't control everyone's access to computers. THIS IS WHY WE NEEDS TRUSTED COMPUTING!"

And *poof" there goes Open Source.

I would like to hear what you all think.
Thanks for reading.

Re:Thanks, Microsoft!

[ddavis539]

This is exactly what sparked my interest in linux 4 years ago. A nasty virus went through the company I worked for, corrupting all windows systems and making my java development environment unusable. Most of our development team had to spend a few days re-installing windows, the development programs, database, etc... There was one team member who used Linux and he was completely unaffected. Instead of re-installing windows 2000 on my laptop, I put Linux on it instead. I was pleasantly surprised at how easy it was to rebuild a Java development environment and Oracle test database within Linux. Over the past couple years, I've gradually phased in Linux at home as well. My kids prefer Linux to Windows now, using it exclusively except when they want to play a game that we can't get to work with Wine or Winex. (Zoo Tycoon or Age of Mythology, both MS games) I have no regrets at all about making this switch, which is was basically prompted by a virus.

Re:Thanks, Microsoft!

[IM6100]

That day will never come. Enough of us are of an age to remember the days when there were fifteen different PC platforms out there and the huge splintered market for commercial software that resulted.

It's trouble enough for retailers to sell both Mac and PC games. Do you really think shrinkwrapped boxes are going to contain the seven CDs necessary to have the app run on 15 seperate OSes?

Yeah, everything will be distributed as source code. Uh-huh. People will like that.

Re:Thanks, Microsoft!

[impluvian]

It's a good point. There are sufficient users of Windows who don't seem to make the connection between Windows vulnerabilities and Microsoft: that is, they feel threatened/upset/whatever by the virus, but then the next computer they buy is still running Windows!
This is why Microsoft's trusted computing has the potential to do exactly what you suggest. If a no-brainer user reads Microsoft PR nonsense about how safe their computer will be with Palladium, they'll buy it, without considering the fact that Microsoft are also the people who've been leaving holes in their systems for years.

A good arguement for...

[green+pizza]

... Windows Update once every couple weeks.

I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)

Re:A good arguement for...

[MeanMF]

I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)

Yeah, but it's not like the Department of Homeland Security put out a notice telling people they should install the patch. Oh wait, yes they did. Maybe that's why a group of us worked late on Friday 8/1 making sure the patch was installed on all of our servers and workstations.

Re:A good arguement for...

[thomas.galvin]

Which has only been labled 'critical' very recently, and, as far as I can tell, isn't on the suggested list of patches when Windows Update runs. I spent a good part of last night putting together a web page for my friends telling them what was wrong and how to fix it.

The fact is, quite simply, that they should have been running a *nix. It amazes me how much MS can get away with; debit cards weren't working at the local Price Chopper today because of this, some guy posted that at least one ATM in the UK was down, which suggests that a lot more followed suit, the DMV, the IRS, etc, etc. Yes, the people responsible for this virus are to blame, and yes, the people that left their boxes exposed and flapping in the breeze are to blame, but the Windows culture also has a big part to play in it. Need a computer? Toss up a windows box, and you're all set.

I think a big part of it is just that people expect Unix administration ot be tough, and hire someone competent, whereas the Windows boxes get Joe MSCE.

Re:A good arguement for...

[bricriu]

According to the DSLReports thread posted/linked above, people who were up to date with their Windows Update or had Windows Auto-Update on still got hit. :-/

Re:A good arguement for...

[teslatug]

Funny you should mention that, I saw the story on /. and I figured this time it was worth the update (someone mentioned that something like winnuke would appear and that did it). I do a ghost of my partition and I install all the critical updates. Soon after my computer starts to lock up, so I restore the image and the computer is back to normal. After doing the same tango a couple of times, I decide that the RPC patch is most imp't so I only get that one. Lucky my computer didn't lock up or I would have reverted to the unpatched state. You can't really get all the patches MS dishes out.

Re: A good arguement for...

[retto]

I wonder if this will eventually become a regular segment, like the weather

I can see it now... a fat bald guy standing in front a colorful map of the US pointing at little cardboard cut outs of 'hax0r' and '0wn3d' talking about an 'outbreak of DDOS across the midwest' and a 'hacker front coming up the eastern seaboard.'

There could also be a five-day patch forecast, and to wrap it all up he could say happy birthday to really old sysadmins and shoutouts to servers with really long uptime.

Re:A good arguement for...

[_randy_64]

I did the Windows Update thing as soon as I installed XP Pro. Then the Windows File Search stopped working, Yahoo Messenger stopped working, and Windows Media Player wouldn't start at all. The fix was to re-install XP. Maybe that's why some people haven't/don't/won't use(d) Windows Update. The File Search issue is a known problem, according to Windows Annoyances, but I've never seen a mention of exactly which patch _breaks_ which other piece of the system!

Worm

[aligma]

Are you, by any chance talking about MS Blaster Worm?
Its good for us to keep using the correct terminology ... Maybe then the media will get the idea too!

Ok, time to get modded down. :/

Re:Yes

[rmohr02]

How do you know this person was trying to get people to switch to Linux (or anything non-MS)? S/he could just be an ordinary asshole, without a point to prove.

Patch!

[focitrixilous+P]

I can forgive stupid home users, but shouldn't mission critical things like these patch every now and then? The hype surrounding this has been huge, and if you run unpatched microsoft stuff, well, good luck fixing it now. It will take a long time, but at least this worm can be fixed with little damage. Maybe this worm will get people to pay attention to security, but then again people said that about the last dozen MS worms.

STUPID!!

Their fault.

[man_ls]

Their fault-the patch was released over a month ago, before there were any known exploits for it.

It's allways so much fuzz

[The+Old+Burke]

when a new Microsoft worm or exploit is out. But after the initiall updatestuff it all settles. The latest RPC vulnerability the Blaster is already slowing down according to a Cnet.
And I guess that eveyone that have some firewalls and uses common sense allways survive these attacks. At my companys network we use Win 98 instead, so we were able to escape this worm. Actually it looks like all the new exploit are on these new Win2000 and XP versions, so to me Win 98 or Win Me looks like a much better choice in the security area.

Re:I don't pity them

[Psx29]

The patches have been available for a LOOOOONG time now. They should have patched. They can't whine now. End of story.

You know what really blows though? People who just bought a new computer and don't even have time to update the pc w/ the patch since it spreads so fast. Of course you could burn the patch on cd and update it manually but i doubt the average user would know how to download it like that anyway. (Most people are idiots though. My computers were all patched btw)

Why do we put up with this?

[wavecoder]

Why does the American public - much less the American government - let itself be duped into using insecure, closed-source, and only half-functional software? It's not the money - the government has to stinking pay Bill Gates and crew for the privilege of using his junk. It's not the jobs - there would be other jobs out there (with RedHat, or Apple, or any of a dozen other OS makers) without MS. In fact, there would probably be more IT jobs than there are...

So why do we put up with it? Please, I'd love to hear ideas. I don't know of much of anything that the average bureaucrat, or military office, or CIA spook, or DOT drivers-license-tester can do on Windows/Office systems, that couldn't be done under Linux or FreeBSD. I really would love to know why, when Germany, India, and who knows how many other countries have ditched closed-source software for OSS, we can't do the same...

Any thoughts?

Philadelphia computer system.

[apc]

Interesting. I had noticed when I stopped by Municipal Court to schedule a trial date that the computers were down. I was told by an employee that it was due to the power outage, a comment that didn't make sense considering that I knew for a fact that the server farm was a floor above us...

As pissed as I am at the asshole who wrote the worm (it took nearly half an hour to schedule something that normally takes 2 minutes-- thank "Bob" that I was in Municipal Court, which is only starting to modernize from an old IBM mainframe setup, rather than in Common Pleas or Federal District Court, which are totally computerized-- and in he case of Common Pleas at least, running on Windows), this is, of course, another example of why governments, in the name of security, should go to more open-source solutions.

Re:Philadelphia computer system.

[Windcatcher]

There was also a power outage in Center City. I just saw the report on Channel 6. Apparently a water pipe blew in the PECO substation and much of the area was without power until sometime tonight.

When are people going to wake up?

[BWJones]

My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.

Re:When are people going to wake up?

[Peyna]

Of course, if 95% of people used OS X instead of Windows, more virii and what not would be written for OS X and more vulnerabilities would be discovered, etc.

If only 1 person drove a Pinto, we might have never found out the problems with it. Since so many people drove them, the serious problems quickly became evident. It's the same kinda thing with operating systems. The more they're used, the easier it is to find vulnerabilities.

Re: When are people going to wake up?

[Black+Parrot]

> My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them.

Where I work they just kicked everyone with an exposed system off the network as soon as the DoHS warning came out 2-3 weeks ago, and let them back on the network when they could demonstrate that their system was fixed.

Call it "opt-in security", if you will.

Re:When are people going to wake up?

[b1t+r0t]

Exploding Pintos don't suddenly cause other Pintos in the vincinity (or even halfway across the planet) to explode.

The fact is that not only is OS X relatively insignificant on the market, but so is the CPU architecture that it runs on. AFAIK, there still hasn't been a virus or worm written for OS X.

And Apple has been good about making security patches available through Software Update. Good patches, that don't happen to unpatch previous security patches, like Microsoft's non-Service Pack patches have a tendency to do. (Something which was a problem when the Slammer worm hit.)

Re:I don't pity them

[|<amikaze]

for a LOOOOONG time now

Three weeks isn't that long for a patch to be out. Many organizations actually test patches out on non-production machines before randomly installing software that Microsoft says is OK.

What make Windows 2003 so secure?

[Da+Penguin]

I keep hearing that windows 2k3 is the most secure windows, but (and I'm truly asking), what makes people say so? I'm using it at home. Evidence for: logs changes, logs every reboot and needs you to enter a reason, insists that every site (including google) has a security issue, comes with almost everything disabled, doesn't let users use shockwave et al without permission, probably some bug fixes. Evidence against: see the article above. At least it informed me afterwards that the computer unexpectedly rebooted . . .

PS: Please don't mod me for flaming, I'm really wondering what inner changes there are, other than the ones above that give the impression of security.

Re:What make Windows 2003 so secure?

[MeanMF]

I'm really wondering what inner changes there are, other than the ones above that give the impression of security

Besides the default-lockdown mode, they supposedly did a review of the entire operating system looking potential security holes like buffer overruns. There's an awful lot of code in Windows though, and it's hard to know exactly how thorough that review was - especially since they missed this one. Time will tell.

Re:What make Windows 2003 so secure?

[westyvw]

Well everything off is a good idea for a server. YOU should make the choices to turn anything on, and YOU should know why you did. The port this worm attacked has no justification for the home user. This is the same port that annoys most users of Win XP, but they dont know it. The only reason MS should have allowed this to be turned on was for administration on a LOCAL network.

By the way I can make win 2003 server crash in minutes if I am allowed to be a user on it. Shame, its not that much better, but leaving ports closed is a good idea, and a long idea comming.

Re:What make Windows 2003 so secure?

It installs with just about everything turned off, instead of turned on.

It is also the first version of Windows that had teams of programmers whose sole purpose is to audit code and check it for security problems. Sweeps for coding patterns that lend themselves to exploitable bugs were done. Utilities were written to help flag suspicious bits of code. And so on ... time will tell how effective the changes were.

Re:What make Windows 2003 so secure?

[StormReaver]

Let's not forget that Microsoft -always- claims that whatever it's currently selling is the best and most secure version that it's ever made.

NT was the most secure Windows ever made.

95 was the best Windows ever made.

98 was the best Windows ever made.

2000 was the best and most secure Windows ever made.

XP was the best and most secure Windows ever made.

2003 is the best and most secure Windows ever made.

And all those claims could be defended, as each successive Windows fixed past vulnerabilities (with subsequent service packs sometimes reactivating the same vulnerabilities) and made some minor improvements.

However, no version of Windows has come even remotely close to being secure, even if you disable all network services configurable by users.

Having never used Win2003, I can confidently assume that it will be little, if at all, more secure and reliable than any past version of Windows. Keeping logs telling you that you've been screwed rather than taking steps to keep you from being screwed in the first place is not an improvement.

EA Vancouver went down ...

[doublesix]

A friend who works at blackbox told me "hundreds" of computers shut themselves down at EA Studios out in Burnaby this morning ... HA HA

Monoculture

[the+eric+conspiracy]

One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.

As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.

Re: Monoculture

[Black+Parrot]

> I'm all for Microsoft making the DEFAULT behaviour to be to download and install the patches without updating.

In principle, yes, but...

a) Would Microsoft (or any other company) be willing to accept the legal liability?

b) How long until someone highjacks that very mechanism as a way of spreading grief?

Re: Monoculture

[Black+Parrot]

> One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.

Everyone says that, but does it really? If all OSes and their associated software had easy exploits, would it really be that hard to write a polymorphic worm?

> As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.

So true. That's why it's important to design OSes and user software for safety rather than for a faux ease-of-use. I hope the GNOME and KDE hackers and other FOSS writers are seeing the right message in this.

Re:Thanks for nothing.

[Gherald]

When they find the Linux users who did this I hope they lock them up and throw away the key.

So all someone has to do is dislike Gates and Microsoft, write an Windows virus, and they are automatically considered a Linux user?

Cool.

Re:Yes

[molarmass192]

I would hope hospitals do not run critical systems a) on Microsoft software but especially b) on a LAN with any access to the internet. It's sheer lunacy if they do and could be used as grounds for a lawsuit. On the otherhand, they can do whatever they want with their accounting, cafeteria, and parking meter systems since a lawyer wouldn't pounce on that kind of ... wait ... I'm probably underestimating now.

Re:I don't pity them

[BWJones]

The patches have been available for a LOOOOONG time now.

What, three or four weeks? Here is the problem with Microsoft patches. Folks have been screwed more than once due to poor testing on Microsoft's part when the patches completely screw up your system forcing you to spend hours rolling things back to where they were or even completely reinstalling Windows. So, many IT folks are understandibly reluctant to employ these "patches" before adequate testing on their own systems. This may take a number of weeks.

Re:This sucks... (Engagement ring)

[wavecoder]

First off, congratulations! Secondly, though, that's just the point: it is a $100 rock. This is what happens when somebody gets a monopoly - De Beers undersold everyone, then jacked the prices to the moon, and nobody bothered to try to stop them until they owned the market. In fact, most of their major execs can't set foot in the U.S. without getting arrested for racketeering, anti-trust violations of all stripes, etc...

Power corrupts; absolute power corrupts absolutely.

When will they learn?

[devphaeton]

Seriously. Governments and businesses. Every time a pimply faced half-hack writes a new $krYp+ to take down the stand-up comedy act that is Windows Security....

"Blame the admins for not patching when patches were available"....

This has some merit, yes. *BUT* has anyone ever adminned a server that must be up 24/7? If you've got a whole room full of them, you just don't have the time to go in and manually apply patches. Yet, automatic Updates pose another problem: You probably just can't have a MSSQL server doing unexpected reboots all the time. You can lose data, what if the patch breaks something? etc.

And even after all the patches and fixes (we're sidestepping the Microsoft "patch one hole, open 3 others" issue for the moment), stuff still happens. Servers get knocked over. Look how many times it's happened in the last 12 months.

For home users, a disabled computer is a bummer, sure. But for businesses and governments, when will they simply decide that "This Just Cannot Happen Anymore."? Seriously. We're talking lives, national security, and huge amounts of money at stake here.

The alternatives are out there. I know, you know, and /. knows.

We all know that Linux, Solaris, *BSD and the like are not 100% perfect /either/... We also know that *any* poorly adminned box is a deck of cards, but C'mon! look at the vast canyon of difference, just in how installations come out of the box!

When will they learn? Seriously! I think it would make better business sense (read: make more money in the long run) to look away from Microsoft and look towards other Free(software) and Commercial products. /me gets off soapbox again.

Fwiw, when i booted up my WintendoXP box to download the patch, i got nailed before i got to type a URL into the browser!!

C'MON!! AT LEAST GIMME A CHANCE, DAMMIT!!

So are you implying

[Gherald]

..they are an "ordinary asshole," as opposed to an asshole "trying to get people to switch to Linux" ?

Re:3M Plant Shut Down

[green+pizza]

Somebody's trying to run a plant dependent upon Microsoft...

I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).

Re:Yes

[Narcissus]

You say that like the worm was aimed at government agencies, which is absolutely not true. That would be almost like saying "let's prove how powerful we are by taking out the town hall" just before dropping the bomb on Hiroshima...

OK, so maybe not, but I hope you get my point.

What I found interesting in the article was that now, apparently, only Windows machines are connected to the internet: "Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said Tuesday".

Who are these experts saying this, or is it just another case of a reporter getting it wrong?

Philadelphia

[phillymjs]

The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.

I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.

Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.

~Philly

Re:Yes

[SubjunctiveSam]

You bring up an interesting point. My father is a Windows 2000 administrator for a large multi-site hospital system(seven hospitals, 2 longterm care facilities and 35 clinics). Thankfully they stay up to date on the latest patches and have a good firewall so they were completely unaffected. They also recently went through an emergency preparedness drill making them take a look at what would happen on the computer side of things if say, a tornado wiped out such and such hospital. They look at things like, where do we keep the tape backups of patient records, what services are necessary for the billing department? For the most part, mission critical applications are mainframe issues, and patient records etc are isolated from silly internet-propagated worms.

My point is that if a staff has competent employees with an eye for security, usually viruses and worms' impact can be reduced to at most, a nuisance.

Still, I agree with you completely. Virus authors need to realize that it's not all just in fun. People don't "deserve it" just because they are vulnerable. And, you're not going to teach anyone a lesson. It's not l33t haxoring, it's childish and immature vandalism, plain and simple.

Re:Yes

How does a post that demonstrates the author read neither the parent to which he is replying nor the article itself get moderated "insightful."

To wit:
1) The parent says nothing about switching to Linux.
2) The article mentions that the worm leaves a message poking fun at Windows' security history thus demonstrating the author =does= have a point to prove.

The funniest part (IMHO) is...

[BurKaZoiD]

...that I'm a damn programmer, and my system was secured from this exploit (due in large part to my overly paranoid nature), but the workstations belonging to my depts microcomputer support & network manager were all vulnerable and hit. Dumbasses. I spent my entire morning trouble shooting, patching, and fixing the workstations belonging to my office's higher-ups & executives (I was specifically requested by them, I might add), while the network & micro fucktards ran around fixing the computers of the no-counts. Needless to say, I pissed off a lot of people today, but thank God they aren't the ones who sign my check.

I look at the never ending laziness of network support as continuing to supply me with the opportunities to secure my employment. Also, the thank you email from the prez really gave me a chubby.

Re:I don't pity them

[zulux]

The patches have been available for a LOOOOONG time now. They should have patched. They can't whine now. End of story.

---

I've had to patch several Windows 2000 boxes for clueless friends and mothers of friends.

The patch is ony 1.3 Megs or so, but the problem is that you have to have SP3 or higher to apply the patch and going from no service pack to SP4 takes 11 hours over a 56K connection.

Try explanig that over the phone.

It woulden't be so bad if Windows 2000 had a servacable firewall - there's one hidden in the managment console thingy.

It's really pathetetic that in the year 2000 - ALL of the free unixes had decent, available firewalls, and most of them fit under 60 Megs.

Re:Yes

Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.

Re:I don't pity them

[Gherald]

Three weeks isn't that long for a patch to be out. Many organizations actually test patches out on non-production machines before randomly installing software that Microsoft says is ok.

But if you are going to trust a closed source operating system, you may as well trust all updates from the owners of the code. I mean, who else is qualified to release patches...?

As they say: In for a penny, in for a pound.

I run Windows update on all my employer's servers and workstations within 48 hours of a security patch being released. I figure that is enough for a billion dollar company to retract a patch that has gone bad.

Patches were *not* available on the update page

[Phoenix]

And I know this for a fact. I had a machine that I re-loaded XP on for a customer since he was upgrading his mootherboard. Friday I finish the windows load and I install all the patched available on the update page. Ran it once to get the first 80Mb of patches, ran it to get Media Player 9, ran it again to get the security patch for Media Player 9.

That's everything on the update page.

Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.

Monday the customer called with the machine giving a 60 second countdown and rebooting.

Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.

All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need

MY BAD: THE CODE IS HERE:

[westyvw]

My bad. I made a bad link that wasnt what I wanted:
If you wanna look at the code its HERE:

http://www.dslreports.com/forum/remark,7652257~r oo t=security,1~mode=flat

The grain of salt is that they are reverse engineering. But it still is there and interesting.

Again my appologies.

Windows not ready for prime time

[JimmytheGeek]

Comcast as a whole got blasted, not surprising.

A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.

That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!

The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...

Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way:
http://www.ntbugtraq.com/default.asp?pid=36& sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=93 40

They need to start over. Maybe if they start clean they can come up with something that compares to Linux.

Re:Windows not ready for prime time

[seanadams.com]

They need to start over.

It's hard to imagine how that statement could be true - throw out 15+ years of OS development to start anew?

However, Apple managed to do it by standing on the shoulders of giants, and using the time-tested Unix architecture while finding clever ways to support existing apps. MSFT could do it too, but I'd much rather see them continue down this path until they're toast. Preemptive multitasking and multiple users (done right) is the only way to go.

You know how you sort of laugh at the Linux n00b who always logs in as root so he doesn't get those pesky permission errors? Well guess what - that's what 99.99% of the Windows world is doing now. But it's not just the users - it's practically every damn thing running on their system.

I say bring on the virii!

Stop blaming people!

[Da+Penguin]

> And who was it who brought it into the office? The CEO

Sure maybe they didn't patch, sure they connected their system to the local network.

There a few common sense notions that people rightfully have. Among these are that 1) you can be on the internet and 2) connecting your system to a network should not harm other computers. If theory and practice are incompatible, I think they should rethink the practice of computers rather that the above two notions.

"In theory, practice and theory should be the same, but in practice they're not."

Re:Stop blaming people!

[Tokerat]

There a few common sense notions that people rightfully have. Among these are that 1) you can be on the internet and 2) connecting your system to a network should not harm other computers. If theory and practice are incompatible, I think they should rethink the practice of computers rather that the above two notions.

There a few common sense notions that people rightfully have. Among these are that 1) you can sleep around and 2) fucking without a condom probably won't give you diseases unless it's a whore from behind the Shell station. If theory and practice are incompatible, I think they should rethink the practice of humping like rabbits rather than the above two notions.

Re:Yes

[soupart]

Very good point about hospitals.

I have many systems in many hospitals and they are windows based.

Am I scared of what could happen?

You bet your life.

One of the corprate hospitals (oh yeah, they can own those too) I support had, at last report, five servers in there local server room completely down. The traffic alone on the network hindered my system, but we are still up, and a patch time is set.

"... is set?" you say?

Downtime is a HUGE issue for my company. If our system isn't up, a major communtication link that ALL hospitals rely on in one fashion or another is gone. The last thing I need is to get a call saying that a Radiologist's report on an ER patient didn't get seen or heard by the ER physician in time to save a life. You want to talk mission critical systems? 24/7 with human lives at stake. I don't think it can get more serious than that.

The Truth? Fire the bastards.

[LibertineR]

This virus is the result of companies putting idiots in charge of setting up and administering Windows-based networks. There are so many Windows-based organizations, that only a small percentage of idiot admins will create enough insecure systems for a virus to do damage large enough to get noticed.

The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.

What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.

Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?

There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.

Re:The Truth? Fire the bastards.

[Zarquil]

Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.

No way!

If one of my clients happened to have mission critical software that was taken down because I applied a patch, then I'd deserve to get turfed. I agree that patches breaking other software is used far too much as an excuse for laziness, but testing your patches before you go live is still critically important.

If I ended up costing a company a $10,000 gig (say I couldn't recover a database - or maybe just had so much downtime the company missed a deadline) I'm not going to last long enough to point the finger and say, "It's Microsoft's fault!" I'd likely have my ass grinding over the welcome mat on my way out the door. And in the small businesses that I deal with, losing more than one or two shows will bring the company down anyways.

Part of competency is understanding risk management. If I have the time to test patches before applying them, there is no excuse to patch blindly. If it's a nice standard shop that doesn't have anything exotic, then yeah I'll let auto-update take care of it. But you better understand the business and what kind of tolerance they have to down time or broken patches!

For the record, all of the systems have been clean and, knock on wood, I'll drop by the last of my clients this weekend and check theirs in person (I haven't got a complaint call yet, so I'm hoping things are as I left them.)

- Zarquil

Re:Yes

[websaber]

It contains the message

"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"

Doesn't mean there is a agenda but there could be.

I have better things to do than patch windows

[JimmytheGeek]

Maintaining this crap is taking way too much fsking time. I have a lot of other projects that I could advance but instead I get to hit slashdot while watching patch progress bars randomly increment.

This is not good, it's not acceptable, and I am moving toward not accepting it. Screw em. Lousy products, massively offensive licensing terms (both in dollar amount and provisions), and smarmy, arrogant execs. Piss on them.

Re:Yes

[nolife]

I believe this is a side effect of the Windows dominant world. Many people have no idea that there is an alternative. If you look back at the media coverage of any of the many Outlook/OE and IE related viruses and worms, like Melissa, and many others.. You will find people claiming that it is an "email" virus. It is not, it is an OE/Outlook virus and can ONLY spread if using those products. 99% of the time, if you are not using a MS provided mail client/web browser you would be completely safe even with no firewall and virus scanner from those "email" viruses, although not the case here with MS Blaster. I think if the media stated that fact every time this happened, it might sink into peoples heads that it might be a good idea to look for something else. Funny that this virus name actually contains a reference to Microsoft being called MSBlaster. I wonder if they tried to get that changed, funny how they call it Blaster, not MSBlaster like everyone else.

Re:Yes

[droyad]

It's really their own fault. Any enterprise running mission critical systems should pach their systems. It doesn't matter Windows has more flaws than Linux. A solid security policy is a must regardless of OS.

Re:I don't pity them

[TheQuantumShift]

I remember when this vuln was announced, I hit windows update that day (7/16), and lo and behold, it was a critical update... Remember how this vuln was all over the news? Remember how "the authorities" were listening in on chatrooms and saying there was a lot of talk about an exploit? I certainly remember all of this, so I say screw those who didn't patch. What's better, installing a patch that screws your system when you can blame that on MS, or not installing the patch and having no one to blame but yourself?

Dear SAN,

[Letter]

Dear SAN,

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!

Love,
Letter

Re:Thanks for nothing.

[ratfynk]

The majority of MS worms are created by little nerds in basements using pirated copies of Visual Studio. Not Linux users. They are know as script kiddies and are all over Usenet sharing their windows expertise.
So bullshit to your post.

Our system

[Jade+E.+2]

I'm an admin for a local County department. While our network was mostly unaffected (I'll get to that in a second), the county's Central IS department, that runs the county backbone from which we get our internet feed, had their exchange 5.5 box (on nt4 - not patchable) go down sometime really early this morning.

My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.

It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.

So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?

Re:Our system

[Tumbleweed]

One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one.

Hmm, that sounds about right for normal operation - are you sure the systems are infected? ;)

Re:Our system

[Oscar_Wilde]

More interesting, I thought, is that it stops IE from opening pages in new windows. So all those sites that popup ads and all the pages where the links open in new windows dont work (oh for Mozilla and middle clicking on all computers). Also, drop down combo box menus wont work (which I noticed while trying to use phpMyAdmin).

If nothing else this worm will stop people from having to put up with pop-ups for a few days... Might almost be worth it.

Re:Our system

[Antitorgo]

If the other worm you are talking about is hitting port 445 it is probably the Backdoor.irc.Cirebot trojan. It targets port 445 (vs 135), and opens up a backdoor. Its still an RPC attack though...

Hopefully, the other worm you are seeing isn't a mutation.

Re:Our system

[c.r.o.c.o]

When I saw this happen in our lab, I was trying to fix someone's floppy (yes, yes, I'm a lowly lab monitor at my U). I thought it was a broken floppy, but the strange thing was that the computer could read the fine just fine, but Copy/Cut/Paste was disabled in Word and in Explorer.

Our lab is XP-only, and it's very up to date on all security patches, with ONE exception, the machine I was using for the floppy recovery. That one is running Windows98, and I know for a fact it's not patched.

I'll look into it tomorrow, to see what's going on.

Re:Our system

[pavera]

I saw this exact same problem today at one of my client's sites. I do work for a few small businesses, and one of them had this exact same problem, it wasn't msblast (that process wasn't running, and nothing was found by virus scan or the symantec remover) but we showed the exact same problems, the only fix we found (In nearly 8 hours of trying) was to complete reformat and reinstall...)

Hopefully someone will find out what this new virus is and create a removal tool for it, however I think this one might be pretty nasty, it completely hosed word/outlook and norton av on one system and trashed the windows installer service on another causing office and norton av to think they weren't installed, and making it impossible to reinstall them.

We also did not see it scanning, and it seemed to be infecting slowly (the client has 30+ machines all win2k, and after 8 hours only 3 had been infected, those 3 were pulled from the net then but they had many hours to infect the rest of the hosts on the network and didn't).

Any info on this new strain would be greatly appreciated.

Re:Yes

[molarmass192]

Let me get this straight, patient monitoring systems are plugged into the same LAN in which doctors, admins, and what-not are free to plug in their laptops? I don't work in a hospital but even we have DMZ subnets for more sensitive parts of our network. I can't (or rather don't want to) believe that hospitals don't segment their networks the same way.

It's too much to ask

[JimmytheGeek]

It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)

We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.

Guess I'm lucky....

[Soko]

I recently took a contract job to bring the IT operations of a local, growing business from a mom & pop deal to a more enterprise ready footing.

I have about 25 XP/98 machines to look after, but only 2 of them laptops (3 if I count my own). First thing I did when I was hired was grab both of the laptops and patch the hell out of them. Next was the 2K server, and lastly today I spent the whole day running around updating everything I could on the rest of the desktops. No programs got hosed in the update process either, which was a relief. We're behind a small NAT engine too, so I feel rather confident that we'll weather the storm.

My point is that businesses such as my current customer have no clue that an operating system (indeed, almost any program as well) needs to be taken care of. This is the issue that will keep biting Microsoft in the ass - until they make it plain as day that "You need to do regualar maintenance to our products" people will run with security holes. If they can't see that it's broken, why would they fix it?

Another point - I'm looking into SUS so I don't have to worry nearly as much (or spend so much time waiting for WindowsUpdate) but I'll need another server to use it. The lone server my customer has is almost over loaded at the moment, runing SBS with 256M of RAM. SUS requires 2k Server or above to run - why, I don't know. Just like Microsoft to turn a problem they've created into a marketing opportunity. No wonder they're having trouble stemming the Linux tide.

Soko

I find the quality of this article lacking...

[RALE007]

"It's likely that people who have not turned on their computers yet will discover that they have already been infected if they do not have the Microsoft patch, a firewall of some sort or anti- virus program installed,"

How could one already be infected if their computer hasn't been running? Maybe he's implying "as soon as you turn on your computer you'll be infected", I don't know.

Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said Tuesday.

Really? I thought it was only Win2k, XP, and 03, not every computer on the planet. But experts said so, so I guess it must be true.

The worm attacks computers through a flaw in the part of Windows that allows computers to share files and control Inter net traffic. Four versions of Windows operating systems are targeted: Windows NT, Windows 2000, Windows XP and Windows Server 2003.

Oh you are aware it doesn't affect every computer on the planet. That's good because five paragraphs before you said it did and now you're contradicting yourself. Wonderful

"This is certainly a capable person who did this," Sundwall said. "In most cases, it takes about six to nine months for a worm to appear after a patch is released. This is certainly something that did occur quicker than we are accustomed to."

Because it is just so hard to create a self replicating buffer overflow program. It's not like this is down to a science. The statement implies a team of developers would have to sit down for a year to create something this "sophisticated". It couldn't be that MS products are inherently insecure and easily exploitable. There are thousands if not millions of people "capable" of this, just not immature enough.

You'll notice some of my excerpts are quotes from within the article, and not necessarily the words of the author. The author still choose to include this malformed crap.

I would recommend seeing this older Slashdot article concerning the worm or going to google to find better written information on the matter. The facts within the new article are interesting, but so blatantly misrepresented it's annoying and I would view an alternative source.

Re:Yes

[soupart]

You can hope until the cows come home friend, cause I'm here to tell you that Windows is in every hospital, every clinic, and every doctors office you visit. Even the big fish: Mayo, Boston, etc. Sorry to rain on your parade.

As far as being on a lan with access to the interent, that argument is pretty much useless. One infected machine on the inside and you are a potential target. Just the way it works.

Re:I don't pity them

[dillon_rinker]

Patches can introduce bugs. Microsoft does not test their patches against all software in the world; they certainly don't test it against all custom software.

Suppose you've got a mission critical app. Suppose the folks that wrote this app went out of business in 2000. Suppose it incorporates a library that includes a control that uses a deprecated interface to call an obsolete method. Suppose this method returns a value of 127 for a particular failure. Suppose that this failure is one that should not be retried in this environment because it would another intitiate query to master database in Frankfurt. Suppose that a patch (incorrectly) causes this interface to begin returning 63 for that failure code. Suppose that what USED to be failure 63 should be retried 255 times. Suppose that one day this particular failure (was 127, now 63) occurs.

Now suppose that you're the boss of that guy who convinced you last week "We don't need to test patches apps from Microsoft before deploying them enterprise-wide." and your boss wants to know why his boss in Frankfurt is on the line.

Now you know why I'm unemployed.

DO blame MS!

[JimmytheGeek]

Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?

That's an easy question to answer.

The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.

What should I use?

[roystgnr]

No, really. List your choice of replacement system and give a thorough list of past remote exploits for it before you bash Microsoft.

Microsoft actually seems to be getting better about security. They still have holes that you have to patch, but so does everybody. Here's a list of the security updates for my OS distribution of choice, for instance:

Red Hat Linux 9 Security Advisories

Most of these aren't as bad as the recent Windows hole (and many aren't in software that even has an equivalent included with Windows), but there have been a lot of them recently, and they're not Red Hat specific problems either.

Re:Yes

[Pathwalker]

Formatting hard drives? Screwing up the BIOS? We'd still be lucky if that was all that happens.

The idea that scares me is a slowly spreading virus - hiding as well as it can, and remaining on systems for months or years.

I had a full description of a possible payload, and the effects it could have, but I thought better and deleted it.

All I will say, is that a virus that targeted not the computers, but the business processes of the company that uses them could do some major damage.

Virus taking out government computers?

[EGSonikku]

It's SkyNet! SkyNet is the virus!

*makes some popcorn and waits for the nukes.

British Columbia banking is screwing up now!

[ratfynk]

The debit machines in British Columbia are screwing up big time right now August 12. A Safeway employee told me it is because of server outages. Boy this is starting to cost big dollars. At least ./ still runs. You guys cash my check? At least I can still rant on line.

Re:Yes

[Cat_Byte]

I've been knocking on doors for a job since I was laid off on December 24th. It seems most of the hospitals have contracted out their IT positions rather than have them in-house.

Hey when I was a contractor I walked in, did what they asked me to do, then went on to the next job site. I didn't go around asking if they had seperate LANs for sensitive equipment because...well...I was paid salary and wanted to go home after my 10 hr day. I'm sure the current contractors feel the same way.

Being a local sysadmin/network admin is different. It's your baby, you get the call at 3am when things go bad, you make sure that doesn't happen. Too bad employers don't see that and I bet you this one still doesn't see it that way.

That's a scary thought !

[JimmytheGeek]

The windows world isn't even close to handling a whole class of vulnerabilities - services running with inappropriate priviledge. Ouch! No chrooting, priviledge separation, etc.

It's amazing how little they seem to learn from better OS's. That and your point reminds me of a sig I saw a little while ago: "If I am near-sighted, it's because I stand on the shoulders of midgets."

Re:Windows insecure?

[cranos]

Being User Secure and being Architecturely(sp?) secure are two very different things.

The reason why it is so easy to attack MS machines is because they insist on running what really should be considered User space applications as part of the Kernel space, IE is a good example as is Office.

Wrong on all counts

[freeweed]

Windows *is* fundamentally insecure, and much more so than Linux. If you don't see this you know very little about computer security.

It has nothing to do with 90%, it has nothing to do with people not patching because they are technically incompetent, IT IS BECAUSE WINDOWS BY DEFAULT RUNS A SHITLOAD OF NETWORK SERVICES AND DOESN'T FIREWALL ANYTHING.

In case you didn't catch that, let me repeat:

IT IS BECAUSE WINDOWS BY DEFAULT RUNS A SHITLOAD OF SERVICES AND DOESN'T FIREWALL ANYTHING.

Run a netstat on a default XP install, and count the open ports. Now do the same on a default Linux (RedHat/Mandrake/Deb/you name it) install and count the open ports. You'll notice a 2:1, 3:1, as high as 10:1 ratio, Windows:Linux. Ok, so by default Windows has many more open doors. Huh, wonder why it gets exploited so often.

Unfortunately, that's not the end of it. Most Linux distros I've seen (fellow slashdotters correct me on this stuff) are now using IPtables by default, with at least a level of security that blocks incoming connections to almost everything. All you have to do in some is select 'high' security, and bang, almost nothing gets through.

Windows by default has no firewall enabled. In fact, you can't do *anything* with pre-XP Windows. Linux has had built-in firewalling for years and years and years...

This is all bad, but it gets worse. The latest worm attacks the RPC service in Windows. Now, logically, you'd think you could shut off an RPC service, if you're never making/receiving REMOTE PROCEDURE CALLS. Nope, the OS breaks pretty nastily if you do that.

I have yet to see a single example of a listening service on a Linux box that cannot be disabled without wrecking the OS itself.

This has nothing to do with patches, volume, or the price of tea in China. Windows simply uses a poor security model, one based more around convenience than intelligence.

I really don't get the massive amount of Windows apologists on Slashdot, either. I personally love Windows for what it's good for, but a simple 5 minutes research into TCP/IP will show anyone just how poor the security model is in Windows. Yet you're modded up with 100% complete nonsense.

Actually, our hospital was hit pretty bad today

[PIPBoy3000]

I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.

It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.

More info

[Jade+E.+2]

Yeah, yeah, it's bad form to reply to yourself. But I'm leaving for the night so I figured I'd post a few more details I remember in case it helps anybody else.

If the worm we got autostarts anything, it uses one of the sneakier methods. I didn't check the ini files, but I did check out both run and both runonce keys and there was nothing unexpected in any of them. File sizes and dates on the files that were there matched a clean system (although that's not a guarantee, I didn't run checksums). The damage to explorer, IE, and Word did survive a reboot, however, so it modifies something on the system. We had the system up for the better part of an hour on the network, watching ethereal on the switch's mirror port, and didn't see any strange traffic, so I don't know what triggers it's spread. The dial-in client that was one of the original vectors had been connected for something like 8 hours when it started scanning, and we are it's internet access so it couldn't have been (easily) infected from outside today without us seeing it (we were monitoring after central's exchange server went boom), so I strongly suspect it's got a timer or trigger to start scanning. (Maybe idle time? It started roughly half an hour after they closed for the night, hence us kicking them off and revoking their dial-in privliges instead of just calling them.) I didn't catch any actual infections in the packet dumps, only scans after the vulnerable machines had already been hit, so I don't have a network dump, but I'll hook an infected machine to the test network in the morning and try to get one. If I can talk the manager into leaving me alone for long enough I'll try to get it to infect a dummy machine I've imaged and see exactly what changes it makes. Anyways, good luck to anyone still playing with these things.

Virus?

[Flakeloaf]

No problem, Sir. We'll just switch our AI on and squash this thing. Skynet is ready to go live.

Provincial Government of Ontario hit hard too

[The1Genius]

Extensive hits to e-mail, web and database systems throughout many ministries in Ontario.

I thought it was interesting that a member of the Justice system in Ontario was complaining that 'Microsoft is not providing the proper tools to properly manage an enterprise with 1000 servers spread throughout the province and ensure that patches and service packs are kept up to date. The cost of maintaining these manually is too high'

To which I asked 'How much is it costing you to scramble and fix this problem now?'

Enterprises either need to bear the cost of a 3rd party tool to maintain patches through the enterprise or find the money and resources to keep things up to date properly on an ongoing basis. Otherwise, they will find it costs 2-3 times that amount of money to respond to patching and cleaning large pools of servers in this type of worm situation.

The patch isn't that great to begin with

[broken.data]

One of the reasons that this patch may not be installed everywhere, besides the obviously long QA side of testing patches before deployment (I was burned by SP3 and a Promise IDE controller) is that it is pretty far reaching. Any game house or animation company for games like Quake or UnrealTournament2003 will probably not have applied this patch. Reason: It made it so they could not open any of the files made in gmax

Re:The patch isn't that great to begin with

[broken.data]

The problem though.. why the f**k should an RPC patch affect whether or not I can open a .gmax file?

And this does not only affect this patch, but if you had installed SP4 the same thing happens. Its like my PDF files getting flucked because I got the new DirectX 9.0b.

Hmm.. patch and can't work. Don't patch and can't work. Crap.

And yeah, I just made a midnite run to a client site because mail/website/firewall were not responding. My OpenBSD firewall was tighter than a dolphins' ass. It was the whole damn Internet rebooting. ISP went up in flames.

Re:I don't pity them

[Gherald]

A security patch should not break code. Were I "the boss of that guy," I would consider Microsoft to be at fault.

Sounds like a time for damage control and updating that app or library (even if it means using a disassembler).

As for deploying at a large enterprise, it would be wise to test mission critical apps before doing so. But such testing should be routine and be completed ASAP.

Re:Yes

[IM6100]

Many people have no idea that there is an alternative.

And then the issue is compounded to be even worse. People like the parent phrase it like there's an alternative, and not numerous alternatives. Some of the alternatives are significantly more usable than Linux on the desktop. Yet we find people here posing it like it's an either/or choice.

Re:Yes

[TedCheshireAcad]

This is unfortunate, as the most entertaining worms/virii are those that contain broken English. Example:

VERY JOKE! See US President and FBI Secrets!

However, to the dismay of many a sys-admin, this worm is not VERY JOKE. Sigh.

new comp infected within 3 minutes of first boot

I was setting up a new computer today running Windows XP and within 3 minutes of the first boot, the computer was infected. I wasn't even able to download the updates before the worm found this machine. So my question is, why are machines still being shipped with vulnerable versions of Windows XP? If it is too expensive to redo the drive, at least include a cd-rom (that costs $0.00001) that has the updates on it.

Re:Yeah, since Linux is 100% bug free right?

[unclethursday]

It's true Linux isn't 100% bug free (nothing is), but Linux and all the other Unix-alikes are more secure, by default, than Windows is by default.

Microsoft often releases patches for these types of worms and viruses, but the problem becomes that sometimes their patches end up breaking a hell of a lot more than they fix.

Companies, and government institutions cannot just patch and go. They have to test the patches on an isolated computer to ensure that EVERY SINGLE program they need to use is not affected adversly by the patches. Any idea how many MS patches for Windows alone are out there? It's a wonder IT people at companies/government are even half as caught up as they are.

Just imagine if your health insurance provider's IT supervisor just went and patched every time without testing; and one day the program they use to keep things up to date won't work because of a MS patch that broke it. Suddenly you're without health insurance. God help you if you get hurt in the time it takes for them to figure out what broke the program and try and fix it.

That's why it doesn't matter that MS releases these patches. Sometimes they fuck up a lot more than they fix, and companies and government institutions simply cannot take the risk of installing every single security patch from MS (often released weekly) because of this.

Thursdae

From my hotel to work

[mhoover]

Here is a little something that you may or may not find slihgtly hilarious:

Word of fore warning - I am typing on a ONCOMMAND keyboard (hotel web TV) that is probably covered in beer and man glaze.

I had a mysterious reboot one night when tyig to access the "High Speed Suck-O-Net" That they try to charge $10/night for. After 13 hours of updati MS systems at work I wrote it off as "one of those things". Now I am starting to have second thoughts.

I can't use the internet in the hotel on my computer because everytime I do I get the "NT Authority/System RPC service terminated unexpectedly" then my Windows XP laptop (wasn't it supposed to be more secure?!?) shuts itself off. Not only taht the phone stoped worknig next to the bed, the receptionist downstairs thinks I am crazy for bitching about worms (how can worms get on the tenth floor?), this keyboard sucks and my coputer is infected with a DAMNED VIRUS that has already cost me $10 for the initial infction! I would like to find the ASSHOLE that wrote this POS and give his ass an unexpected termination!

Seriously though,
Why can't someone right a virus that get's into these ONCOMMAND systems (run on MS (P)OS) and tell it give everyone free porn? I would pay for it but I am afraid my TV will shut off half way through due to some bug and I would have to make the rest up!

I probably would have been able to respond to the 15 minutes of warning had I not had been patching other vulnerabilities these bastards keep finding.

BTW - I proudly run OSS for several of my (stable) servers but I am not in MY ofice, I am in a pure MS network. I will now be infesting it with a new "virus" according to the all knowing MS. it's a little thing calld Linux, anyone heard of it?

Well I supose I should get some sleep as I will have a couple hundred machines to clean at 6 AM and it's now 12:30. Off to bd where I shal dream of worms crawling htrough my head!

Re:Windows insecure?

[pi_rules]

If Linux had 90% marketshare and was used mostly by people who don't patch, like Windows is, I fail to see how architectually Linux would be more immune to this type of attack than Windows is.

Yeah, that's probably why IIS has such a poor track record when compared to Apache. Who would try and 'sploit Apache on Linux? Nobody runs that crap.

Re:Yes

[Pathwalker]

There are worse things that just wiping a hard drive. Wiping all data is obvious, and you know it happened.

What if a virus was capable of recognizing some common file types, and making a few changes?

Every so often adding or subtracting from a cell in a spreadsheet? Finding a CAD file and changing the thickness of some metal?

How about an easy one? Social Security Numbers are easy to identify - what if a virus looked for them in files, and changed a digit in a few of them at random?

What's worse than no data?

Data that you have no idea if it is correct or incorrect, and have no idea if any of your backups are correct or incorrect.

You just described my vision of hell

[Sevn]

I can imagine the day when the unknown security hole of the future comes careening through that expansive windows network and microsoft hasn't made a patch yet. I wonder how long before someone dies. Nothing personal, but I'd never consider Windows 2000 secure enough to bet my life, or anyone else's life on it. No FUD intended here. I'm being as serious as a heart attack. I'd go so far as to say that putting mission critical hospital systems on the Windows 2000 platform is criminal. I'd never trust my life, or a loved ones life considering their track record. And yes it IS that big of a deal. And it IS that serious. What you are describing is a serious tragedy waiting to happen. It's only a matter of time.

Re:You just described my vision of hell

[Dunkalis]

I really wouldn't bet my life on any OS. I would be happier if they ran on at the very least Trusted Debian. OpenBSD would be better, but I'd only trust my life to a machine that runs a completely custom OS built for one purpose that does one thing, and does it well. Thats why I'd trust the computers in a car before I trust any other sort of OS.

I really don't have a choice, though, so here's to hoping that people have enough sense to at least stop using Windows on mission critical systems.

Re:You just described my vision of hell

[Hektor_Troy]

Nothing personal, but I'd never consider Windows 2000 secure enough to bet my life, or anyone else's life on it.

Well, I wouldn't mind it if Bill Gates, Steve Ballmer et al were dependent on the stability and security of Microsoft's products.

Re:You just described my vision of hell

[NanoGator]

"I'd go so far as to say that putting mission critical hospital systems on the Windows 2000 platform is criminal."

And the alternatives are better? Doesn't matter which system you're on, you have to stay up to date with this stuff.

Re:You just described my vision of hell

[Alioth]

My question is why hospitals are using CONSUMER grade equipment (hardware and operating systems) at all. A surgeon would probably try and choke you to death if you suggested he used consumer grade sterilizing equipment that people use to clean out their home brew beer kits to sterilizing his tools: why is it then acceptable to use consumer grade computers and operating systems?

Public perception and customer feedback

[rediguana]

I was at the gym for the 3pm NZST news today, and Microsoft took a hammering. Only Microsoft Systems are affected... MSFT this, MSFT that - I'd like to see what Microsoft New Bliss-Land do to spin this.

I've just checked their NZ home page and they are soliciting for feedback on customer feelings towards MSFT today, and have some obvious customer advice in big, bright colours. Microsoft US doesn't seem to care in comparision.

The feedback form has three cute faces with various different states from happy to angry on them. Perhaps you may want to give them some feedback to ;)

Re:I don't pity them

[unclethursday]

A security patch should not break code. Were I "the boss of that guy," I would consider Microsoft to be at fault.

Unfortunately, under current laws and regulations, Microsoft is not held liable if their security patches break your system. They're also not held liable if a virus/worm hits you befor they can patch it. In fact, no matter what Microsoft's software ends up doing to your buisness, they aren't liable for anything.

So consider it Microsoft's fault all you want, but they won't be forced to do anything about it.

In the end, the company is going to want to blame someone they can do something to, which means their employees.

Thursdae

Re:new comp infected within 3 minutes of first boo

[Meorah]

So my question is, why are machines still being shipped with vulnerable versions of Windows XP?

because it would cost them (PC manufacturers) lots of money to stop shipment on all those systems and reimage them all over again. they would be glad to toss a CD in the box if they kept track of which hard drives were in which systems, but they don't. honestly, just make your own damn cd. it will work until the next service pack is released, and then you'll have a brand new office frisbie to play with. you can't lose!

That and a simple firewall

[KalvinB]

Getting hit by this worm demands complete apathy towards patching your system. One faculty member at the University I do tech for was complaining about doing patches. It's so hard to open IE go to tools and then Windows Update and click a couple buttons. If that. We tend to set Windows to automatically download and install critical patches and then cross our fingers and hope the users are too lazy to disable it.

In my case I just run a $50 router with NAT that blocks everything I don't need which makes the entire house network of around 10 computers immune from this worm regardless if they're patched or not.

This worm doesn't prove anything. Linux users need to be patching their systems as well and when it becomes mainstream it'll be the target of script kiddies as well. It's just pointing out what techs all know: people are lazy and don't care until it's a problem.

Ben

Speaking of Money

[MacFury]

Every once in awhile I hear about companies forecasting how much money will be lost due to lost productivity and downtime of infected computers.

Has anyone compiled a list to see something like how much M$ has cost the world due to insecure software?

I would guess it's a couple billion dollars by now. Why does no one care?

Re:Speaking of Money

[Robmonster]

And how much have they made in Gained Productivity by providing tools for people to generate complicated spreadsheets / print their own stationary / produce business winning presentations?

Not that MS are the only providers of this software, but you have to balance what inconveniences they cause against the benefits they have given.

Re:Speaking of Money

[Klast]

In theory monetary compensation was paid in return for the Gained Productivity, ie. buying the software. Which means you could argue that monies should go the other direction when some of that productivity is lost. Yes, yes I can see this turning into an empirical argument over the total value of loss + gain.
But thanks to blind acceptance of all-encompassing EULAs, this argument is a lost cause anyway.

Re:Speaking of Money

[FatherOfONe]

Good point, but NOBODY seems to fault Microsoft in this issue. They hold some of the blame for this, and I hope that people start to wake up and realize that this IS the additional cost of working with a Microsoft system. This has to be factored in with the total cost of ownership. But yet you NEVER see this in a Gartner report. Why? I spend around 1-2 hours a week on average working with virus issues on our Microsoft software and almost ZERO on all our other systems.

Gates and company made Windows programs easy to integrate (DDE, OLE etc) but they NEVER took security seriously, then when they started to make a NOS and those same BAD habits followed. Remember that Windows 95 use to send your password in CLEAR TEXT over the network!!! What serious company in their right mind (in the 90's) would have designed anything that way? They ignored security to give people like you "features". Well now one of those "features" is an un-secure operating system.

I could just imagine people that own a GM car had some hacker who could use the onstar stuff to shut down their car while they were in it. Granted, I think they would be initially mad at the person who caused this, but if it happened again and again and again and again, they would probably not buy a GM car again, and their anger would turn to GM. I wonder when this type of thinking will turn to Microsoft. How many systems will have to be down for days?

Yes I realize that this can't happen with a GM car, I am just using it as an example.

By the way, did you try and get a patch from their site yesterday? That sure was fun!!! I actually managed to get one 98 system updated at around 8:00pm est.

Re:Speaking of Money

[tsa]

Interesting point. Recently I heard that M$ has bought a company that makes anti-virus software. So now they can earn more money by selling their crap. Now they can even hire people to write new virii (viruses? we had this discussion long ago...) for them!

Re:Speaking of Money

[jedidiah]

Microsoft has a duty to prevent forseeable harm to others. There's simply NO wiggling out of this. If you make a crap product and someone else acts as the fuse, you're still on the hook for making a crap product.

Windows: Unsafe at any speed.

Re:Speaking of Money

[SillySlashdotName]

"ILOVEYOU" virus 2.6 - 15.0 Billion

BBC California-based IT consultancy Computer Economics estimated worldwide damage to be $2.6bn by the end of Thursday. It said that figure could soar to $10bn by next week.

USAToday

Lloyds of London put the estimate for Love Bug at $15 billion.

Melissa 1 Billion

USAToday

the economic damage from the Melissa virus in 1999 to be about $1 billion.

CodeRed 2.6 Billion

BizJournals.com

"Code Red, which started in mid-July, so far has cost the U.S. economy $2.6 billion."

Klez 9 Billion

The Register

"The Klez virus last year cost businesses $9 billion worldwide in lost productivity,"

SirCAM 1 Billion

BSTPierre.org

"SirCam", which also propagates through email, cost $1 billion.

TOTAL for these alone: at least 16.2 - 28.6 billion

Re:Speaking of Money

[King_TJ]

Yes, and no. For one thing, Microsoft OS based systems have the lion's share of the market, so people wanting to inflict damage/do harm by coding a virus are going to do the logical thing and target a Microsoft OS.

If 95% of the desktops and servers were Linux-based, I really do believe you'd see more Linux security flaws exposed and taken advantage of. (No, I don't think Linux is nearly as "slapped together" as most MS code. No, I don't think it's going to be as "insecure". But yes, I do think it currently benefits from far fewer hackers having an interest in discovering and exploiting flaws in it.)

Also, I'm not really certain how many of Microsoft's security issues are due to recently-created portions of their code, as opposed to flaws in older code that finally got fixed? Quite a few of the security patches deal with code that's at least 3+ years old. (Anything for Windows '98, for example.) Once the bad code was developed and put out there, the only options are to ignore it, or release update patches. To Microsoft's credit, they are actively patching things.

If this rate of security flaw finding continues with the current code they're releasing, then folks *do* have a right to complain, long and loud, that MS has *NOT* made good on their promises to take security more seriously. Right now, I think maybe it's still too early to tell if that's the case or not? All I can say is "Here's hoping they keep up those patches, to iron out the old/buggy stuff."

Re:Speaking of Money

[pmz]

And how much have they made in Gained Productivity by providing tools for people to generate complicated spreadsheets / print their own stationary / produce business winning presentations?

Citing Microsoft for gained productivity is fallacious. CPU/RAM/Disk speed and capacity increases should be given more credit, as word processing and spreadsheets have not improved dramatically in well over a decade.

Even in the late 1980's my Commodore 64 with GEOS and a Okidata printer did very good word processing. Microsoft has done nothing other than genius marketing and spinning information until most people can't think of anything but their products.

When will people realize that Microsoft's main business is not even technology?

Re:WMW: Whatever McDonald's Worker!

[Sevn]

What was it that really made the worm possible?

Leaving RPC open by default. As much as I like where you are trying to come from, this is indeed a Microsoft problem that they created themselves. When you have 50 FUCKING BILLION dollars in the bank, a major majority of the market, and this type of crap keeps happening, you should probably think about spending a few billion on making products that don't cost your customers insane amounts of money and lost productivity due to down time because of pathetic security and coding practices. It's just a thought.

Re:Yes

[hobbesmaster]

Nobody will die if your hospital loses all billing records. Well, the accountants might have heart attacks, but I digress...

Re:The writer has an obvious agenda.

[Rob+Simpson]

This San? Clearly, the feds just have to look for a guy riding a red elk...

Re:Yes

[SubjunctiveSam]

No, they're not. From what he tells me, most of the employees have locked down systems that run all their needed apps from the network over citrix metaframe etc. Nothing is supposed to be installed or stored locally on any of the client systems. Yes, viruses could probably still be introduced via the method you described, but they would probably only infect client machines, not the systems where the databases are stored. Another related and interesting issue, is doctors there whining that, for example, aol instant messenger can't get through the firewall. Of course you can't tell doctors they shouldn't run that, so there's no choice but to open it up. Demands from doctors are on of the bigger headaches for the IT support staff there.

Another good one is when doctors go to some convention and a software vendor convinces them they need some piece of software. One that doesn't work with the databases already set up, etc.

Re:Yes

[darkov]

Virus authors need to realize that it's not all just in fun.

I don't think virus authors are the point. It's easy to make obvious statements about how childish and irresponsible this guy is, but it's not like he invented worms. There were possible and probable before he sat down to code this one. So if people die in the hospital the blame rests with the people who administer the networks, the machines and the hospital. And Microsoft. It's their responsibility.

I think the people who write these things serve a useful purpose in strengthening security - like eating dirt when you're young helps you build your immune system.

Windows Update and regular users

[TechStuff.ca]

How many Windows users actually use Windows Update?

I'm convinced that most regular users do not "get" what Windows Update is for, and see no tangible benefit to using it until/unless their system crashes. It's a bit like backing up the hard drive -- most people won't do it until a bad experience convinces them it's worthwhile. (This goes double for dial-up Internet users, who have to babysit giant downloads, and may have to start from scratch if they get disconnected.)

I think Microsoft needs to add some kind of positive reinforcement and explanation of the value of the Windows Update service. Even a big splash screen at the end of each update that says "Your computer is more secure!" would be an improvement.

In my experience, Windows Update works pretty well in Windows XP. Updates can be set to download and install automatically, or download then notify, or simply notify when updates are available. The system works.

By my very unscientific reckoning, however -- based on the visitor logs on my Web site -- the latest Windows (XP) accounts for just 50% - 60% of current Windows users. 20% are still running Windows 98 (and 20% are running Windows 2000).

Why does that matter? Remember that Windows Update in Win98 was not automatic. In fact, it often completely failed to work!

Many of today's users had at least one bad experience with Windows Update before Microsoft got the bugs out. (You might recall that the Win98 version had several "known issues" including the infamous "freezes at 0%" problem that completely prevented users from accessing the update system.

Microsoft also alienated some users in the early days of Windows Update by marking unnecessary (even unwanted) system software as "Critical Updates." If I remember correctly, version 1.0 of buggy and bloated Internet Explorer 6 was installed as a "Critical Update" to IE5.

In short, Windows 98 users who tried Windows Update learned these lessons:
- Windows Update doesn't work very well (or at all)
- the updates do not appear to make any difference
- Microsoft uses this system to force unwanted software on me

It's no wonder many Windows users don't bother to fire up Windows Update. And as long as some Windows users are apathetic (or actually hostile) towards the update system, EVERY Windows user is vulnerable.

(A brief digression: users who have dial-up Internet accounts are less likely to use Windows Update than broadband users. They would need to see some major tangible benefit to keeping their systems up-to-date. Big downloads are relatively painless with broadband, but they're a major hassle for dial-up users -- especially to anyone who pays by the minute to be connected.)

Anyway.

It's clear that automatic updates are the way to go. Microsoft could easily fix the whole problem by issuing free software to make "Critical Update" downloads automatic in older versions of Windows. That would eliminate a major reason for upgrading to XP (i.e. because Win98 is insecure by default), but it would benefit ALL Windows users.

But there's the rub: this would eliminate a major reason (perhaps THE major reason) to move from Win98 to WinXP.

I spent more than an hour on the phone today with a friend whose Windows XP system was infected by the Blaster worm. She thought she was safe -- she has anti-virus software, she updates her virus definitions daily, and she thought she was using Windows Update regularly. (She was wrong, as it turns out -- Windows wasn't up-to-date, although she swears she said yes to automatic updates sometime last week.)

If a bright, conscientious, well-meaning user can get burned by this system, there's something wrong.

Solutions? I think "Critical Updates" should be mandatory for all Windows users. If people refuse to update the updated system software, Windows would shut down after a reasons period of time -- say 30 days -- until the user agrees to get the Critical Update.

Another idea: write and distribute th

Re:Windows Update and regular users

[slide-rule]

I'm convinced that most regular users do not "get" what Windows Update is for

I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".

My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.

These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.

Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.

Re:Yes

Hahaha... you have faith.

Back in the day, I was called to a hospital in the middle of nowhere that stored everything (patient records, accounting, etc) on a single IBM AIX box.

Someone who was supposed to be an admin blasted the /etc filesystem and thought unplugging the machine would fix it. (So all the databases were f-ed up too)

The last backup had been made approximately 3 years before and the system had been upgraded several times. Nobody knew what version the system was actually on, and the one contractor who did was climbing a mountain somewhere. (This is happening at 2AM saturday) It was also in "Trusted" mode.

To make a long story short, we eventually got in and got everything up on Sunday night.

Lesson #5675: Never underestimate the incompetence of hostpital IT staff. (Particularly small hospitals).

Yay, Employment!

[Splat]

So, as a Philadelphia area resident can anyone get me a list of infected business/departments so I can fill the positions of the soon-to-be-fired IT Staff?

Yes - I am partly serious.

Re:Yay, Employment!

[Zarf]

So, as a Philadelphia area resident can anyone get me a list of infected business/departments so I can fill the positions of the soon-to-be-fired IT Staff?

The note I just got said those jobs are being outsourced to India. Sorry you're still out of luck. :(

Re:Yes

[wo1verin3]

Actually the medical clinic near my house has a complete mac network including servers.

Am I the only one concerned...

[wo1verin3]

That we may never get rid of this worm completely, at least not for a long time...

Patches for the hole, except for Windows NT 4.0, which the company no longer supports, were put online by Microsoft.

Source: Channel NewsAsia

There are A LOT of companies still running NT on both servers and workstations, last time I was in a major server room at Big Blue, well I won't name clients, but several large name clients have NT based server solutions. Yes I know blocking certain ports will stop it from getting in, but there is still potential for many NT systems not to have those ports blocked now, or in the future.

You are an ignorant idiot.

[jotaeleemeese]

The fucking patch did not work. I have being awake all night trying a new version of the patch and appliyng work arounds...

Re:Are systems behind a NAT modem/router safe?

Depends on what the NAT is doing for you. If (for instance) you have a LAN behind the router but at the same time have an internal mailserver, you'll almost have to have at least the mail ports locked to a live interface inside (unless you're doing something unusual with your mailserver, and your ISP is providing store and forward with you only connecting on demand.) Is your router only passing traffic over the mail ports to that box, and is that box not running any Windows server OS?

And this is all assuming that no one in your org has a laptop - our machines are all patched. 'Ceptin' for a person who's personal laptop appears on the network, and who went on vacation three weeks ago.

Fortunately, all of our machines are long patched, so even if this person had decided to plug in after seeing the 'funny behavior' on the laptop, it wouldn't have been able to get far on our LAN.

Most home machines which are behind NAT "routers" don't do port filtering outbound. So if a kid gets something bad when she's at school and comes home to the DSL feed a) your XP box is infected and b) you've got two machines searching the net for further targets over your DSL feed.

Let me count the ways....

[gad_zuki!]

> I say screw those who didn't patch

1. Companies may still be evaluating it before putting it on their production servers. So if their e-commerce site went down because of this patch would you also say "screw them for not testing properly?"

2. "Road Warrior" laptop users who tech support hasn't had a chance to update yet.

3. Home users who dutifully update their virus scanners, pay Norton, and are careful not to open wacky attachment but have no idea about how remote exploits worked.

4. Failed patches and false positives.

5. New computers straight from dell or whomever that bundle and auto-setup everything except autoupdate. Hmmm, that sounds like a big problem to me.

6. "Early victims" who were infected well before the patch was available or before their computers could download it automatically.

7. The technical clueless that have no idea what a virus is or let alone a worm is. Who's job is it to teach them the ins and outs of security? Maybe MS could make a more secure product or at least put as much effort into alerting the user about security as it does trying to break competitors. Crazy, I know. /insert obrant about how Windows is a poor system in regards to security and how patches and virus scanners are post-attack fixes. Someone has to get infected first you know. //or insert obrant how how Bush's DOJ let MS off and now we are sowing the seeds of cronyism.

Yeah, we know.

[jotaeleemeese]

Apache is the most popular web server. It gets hammered harder by the script kidiies than IIS.

Who installed the logic module in your brain?

Re:WMW: Whatever McDonald's Worker!

[Stevyn]

The ability of ms programmers should be commended. Like clockwork they ensure people must update their software every week and upgrade it every couple of years.

This business strategy of having your customers depend on you to prevent these pathetic hacks works well for them. What other company in these times has $50 billion in cash?

The only thing that can help or even fix this is competition. We all know that's not going to be from apple anymore, so maybe linux.

Re:Yes

[Keeper]

Life support systems, heart monitors, and other devices of that sort are not plugged into a LAN. The requirements for those kind of devices is unbelievable -- I actually feel sorry for anyone who has to work on such systems, after having seen what kind of hoops those devices have to go through.

Text in the Virus

[ChopsMIDI]

According to the Symantic page regarding the worm:

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

So it seems the creator did have a point to prove.

Apache is a brick

[KalvinB]

IIS is a Swiss Army knife.

I run Apache precisly because it doesn't do anything extra. Lack of functionality doesn't make it more secure than something of greater functionality. It's apples and oranges. As someone else mentioned, Apache has modules that open up the same/similar vulnerabilities as IIS.

IIS gets hacked from remote administration exploits and the fact it's tied in the to OS. Which is precisly why I dumped Linux which stupidily ties in FTP to the OS.

App accounts should NOT be system accounts. If I want to have the same user and pass for HTACCESS, FTP, SMTP, POP3, and VNC, I'll set up the seperate programs handling them to have the same user and pass in their respective account files. I don't want the OS to handle all the passwords. When you do that, then getting a password means you have access at some level to the OS which leads to escelation hacks. The intelligent way where say an FTP count has nothing to do with a system account, getting a username/pass only gets you into the FTP account.

If you get a password for my mail server, worst case you can read my e-mail. If you get a password for FTP, worst case you can change some files.

Ben

Re:Apache is a brick

[larien]

OK, first off, it's easy to set up a system account to only allow certain access. If you don't want them to log in, set the shell to /bin/false (or whatever). Similarly for POP3 etc.

Secondly, most of those systems have versions which can use LDAP and/or a database as authentication sources, freeing it from the OS.

Thirdly, you've just annoyed people who have access to these different systems as they now have to change their password in 3 (or more?) different places.

Ermm.. no

[poptones]

I believe this is a side effect of the Windows dominant world. Many people have no idea that there is an alternative.

Uhhh.. no. This is a side effect of a homogenized world. It's no different than growing a forest of cloned trees, or a race of cloned people. Because they are all identical, they all suffer the same weaknesses. As a result an infestation that would ordinarily kill hundreds instead ends up killing off the whole forest - or an entire race.

If everyone had macs (or linux) virus writers would be targeting macs or linux. The problem isn't just windows: it's that a single OS - a single "species" - is far too pervasive.

Re:I don't pity them

[RoLi]

I certainly remember all of this, so I say screw those who didn't patch. What's better, installing a patch that screws your system when you can blame that on MS, or not installing the patch and having no one to blame but yourself?

As soon as you play the "blame game" you have already lost, and you know it.

The virus writers win because they get the attention they wanted, Microsoft wins because they saved billions by releasing quick-n-dirty designed software early.

Admins without a clue...

[26199]

"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."

How about downloading security patches, too?

Not all of us

[denjin]

Not all hospitals do.

I work for one of the largest health care systems in the US, and we didn't even hardly get touched by this new virus. We did have I think one office (NOT in a hospital, one of the 'corporate' ones) get hit by this, but it only affected a handful of users.

Then again, we are tortured by VMS and some Sun Mail programs... ;)

This much damage from half a worm

[SgtChaireBourne]

The sad part is the MSBlast worm is terribly inefficient and poorly designed, yet still has caused this much disruption. Even Slammer, which reached saturation in 8.5 minutes, infected very few machines, caused trouble by eating bandwidth. Think what would have happened if it did something more malevolent.

It's not a new problem. Nor is any amount of wishful thinking is going to fix the problem, Microsoft's products just aren't engineered for security. It's a problem that would take years to fix. Bill Gates himself made allusions to the U.S. Apollo space program of the 1960's which was $25 billion over 10 years. However, for the time being, the security issue is treated like a PR problem and the customers are taking the lumps.

A this point the problem is sociological or psychological. Like any other cult, Microsoft provides a sense of purpose and belonging to it supporters. Note that neither a technical background nor even an analytical way of thinking is a prerequisite, thus fulfilling even the unconditional acceptance aspect of a cult.

As much as IT staff and, especially IT manangers, admire the personal wealth of Bill Gates, they just need to be able to let go of Windows and move on.

Move on, either to Macintosh or Linux or QNX or BSD or Novell there are many choice. There will be some up front costs, but even without the viruses and worms these upfront costs will be offset by the number of maintenance hours saved.

This guy ruined it for the rest of them

[hondo_san]

I can imagine the ire that l33t haXors/crackers are voicing about this. The worm infects. The worm is easily removed. The patch is applied. For most systems, if not all, this fixes it. (Disclaimer: I have not yet removed this from a system. I have only talked to colleagues that have, and customers who have been affected.)

Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.

I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?

Re:Yes

[RMH101]

and never underestimate how easy it is to poke fun at people on slashdot without having to back it up with evidence. i'm sure a lot of healthcare IT professionals would love to have a quiet word with you about your glib comments.

Re:Yes

[RMH101]

Right on. Let me emphasise:

MEDICAL DATA CAPTURE STUFF NEEDS TO BE VALIDATED AGAINST FDA REQUIREMENTS. THIS IS *HARD* AND YOU DON'T GET IT BY ACCIDENT.

Ask anyone who's worked on a validated or 21CFR11-compliant system.

I can't breathe on our systems without exhaustive revalidation procedures and that's the way it should be.

It's very easy to poke fun at sectors you have no experience of, but rest assured all the checks and balances you think should be there, ARE. And then some.

Re:Yes

[RMH101]

perfect! perhaps we could run it on a commodore amiga, and make sure that only one person knows how it works. then we could staple their lips together and cut off their hands.

you stop software installs and removable media through good security policy, not by running your mission critical stuff on an obscure OS that you can't support and your vendor won't support either.

These were not the only gov't offices

[Rodaddy]

I have a friend the the GSA, and I told him this was going to be comming last thurs. He told his bosses, the told him, "We could get most of them upgraded, but it would be a lot of work. F*ck it" Needless to say most of there office went down, as did many of the gov't key GSA databases. It's not really funny, but....Ha Ha.

Pshaw!

[eap]

This virus talk is rubbish. I'm typing this on a Windows computer right now and everything is working fi

The problem: Lazy Sysops - and *nix is worse!

[digrieze]

I know /. is the place to bash the microsofties, but don't let it get to your head. Remember, anything with the name Microsoft gets instant press, outside the techies the public thinks "apache" is the old movie name for a First Nations tribe.

I regularly do security audits of all kinds of systems. When I walk in to a microsoft shop I can immediately tell how it goes. If the sysop says "I don't trust the patches, I test them, but they're not deployed unless there's a REAL problem" It won't go well, those guys usually don't update virus files either. On the other hand if the sysop is using patch management practices he can often go out in real time and check the current status of a server, workstation, and active version of the virus definition file in realtime (they usually have good WRITTEN policies on unauthorized (untested) soft/hardware with sanctioned backup). I haven't found malware in any of the latter cases.

I've yet to find a good *.nix shop. They often have good processes and procedures that SHOULD avoid problems, but the truth is it's easier to sign a piece of paper that says sourcecode was patched and applied than to actually do it. Things look great on paper. Check the source or decompile sendmail (one of my favorite targets) and it's another story. I'm still finding the same hole T.Morris used years ago on active servers. The excuse is always the same, "that was the way it came, shouldn't that have been fixed in the distro by now?" (i.e. too lazy to look, just signed the paper). Many don't even check SANS or CERT regularly. At least windows will notify you when critical updates are available, and all you have to do to apply it is run the .exe. Even then you get guys like this story highlights:

"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."

(How did this guy get his position or experience? Even "end-users" successfully use critical update with relatively NO technical experience or fiscal responsibility.)

Any sysadmin that can't keep a system patched, or falsifies patch records should be punished up to and including dismissal as far as I'm concerned.

Incidently, just so you know my audit document is the CERT advisories on securing systems. If you want a great basic book try OReillys "Practical Unix and Internet Security"

Has anyone figured out yet that as far as I'm concerned the problem is NOT theoretical design differences in OSs as much as the incompetance of the people running them?

Why?

[Overly+Critical+Guy]

Why is it Microsoft's fault when THE PATCH WAS RELEASED A MONTH AGO? A simple ~800kb patch. The exploit even made a Slashdot headline, so it was well-reported.

The fault lies in those people who don't patch the operating system with the critical updates put out by its maker.

Re:Why?

[pmz]

The fault lies in those people who don't patch the operating system with the critical updates put out by its maker.

No, the fault still lies greatly in the hands of Microsoft. They build a system, market it as drool-proof, drooling idiots all over the world buy it, and those drooling idiots get burned and are still so stupid that they don't realize they were LIED TO IN THE FIRST PLACE!

So the blame is two-fold. 1) Microsoft is an unscrupulous LIAR, and 2) Microsoft's customers are stupid IDIOTS.

Thankfully, the markets are very slowly but steadily learning, and I am optimistic that Microsoft will much much smaller in five years.

Re:Why?

[kikta]

Why is Microsoft leaving ports open by default that have no business being open in the vast majority of cases?

They've spent years breeding increasingly clueless users. Think about what kind of knowledge was required to run DOS/Win3.1 versus WinXP. It's a good thing that operating systems have gotten easier to use. However, that means that the users will be less and less clueful as time goes by.

Saying the users are at fault for not applying a critical patch when there was ample warning from multiple sources is all well and good. They do deserve part of the blame. But expecting users to understand patches when they can't even understand/care many other simple administration tasks is foolishness. This isn't even taking into account people on dialup who have lots of patches from MS marked critical and don't want to blow hours at a time downloading them. Also, this patch isn't perfect - I know of several people running Win2000 that are now having issues.

Yes, users should learn to update their damn systems. No one is disputing that fact. However, MS deserves a large part of the blame for consistently releasing outrageously buggy code (including their patches), setting so many things to an insecure state by default, and breeding ignorant users but not taking care of them.

Re:Why are all these end users ....

[BobBoring]

Why are all these end users turning off the auto update features.

Because they got burned once when Windows Update started sucking a serveral Gigabyte service pack over their modem connection?

Or maybe they got tired of having to wait throught the several download a patch that has to be applied seperately and reboot cycles when all they wanted to do was check the movie schedule for the local theater?

Or maybe a social engineered malware webpage changed the settings by telling them click the link and it will double thier intenet connection speed?

Or maybe they are so burned out with having to patch their system three times a week they just don't want the bother since after all it is someone else that is going to get the virus not them?

ad infinitum, ad nauseum

MSBlaster Worm Symptoms and Remediation

[virtcert]

Here's a rundown of what I've found out dealing with the MSBlast worm, some of which wasn't posted to the list yet (or I just missed it). Luckily my systems here were patched before this came out, but a few people brought in laptops that weren't patched, so here's what to expect.

MSBlast Symptoms:

Windows XP: Computer displays a message that the computer will shut down in 60 seconds.
Go to a command prompt and type "shutdown /a" to abort the shutdown.)
This indicates that your computer is infected with the MSBlast worm.

Windows 2000: Computer displays an error message about "svchost.exe" fatal errors. Odd behavior follows, such as not being able to drag-and-drop certain items, Internet Explorer context menus (right click menus) don't work properly, and other bizarre behavior.
This _does_not_ necessarily mean that a computer has the worm, but the svchost.exe could be crashing as a result of the worm trying to get in. However, you should still run the removal tool to make sure.
Some people have associated this with the install of Service Pack 4, but it appears to be coincidental and not related to the SP4 install. However, SP4 does seem to have it's own user-reported set of issues unrelated to this worm, as discussed here:
http://www.w2knews.com/anecdotes.htm

Windows ME/98/95: Unaffected by this worm.

Windows Update: Windows Update is running incredibly slowly.
You may or may not be able to get in to update your system. This is due to the fact that millions of people are all hitting the service at once trying to get the patch to stop this worm. If you keep trying, you will eventually get in, but it may take a number of tries and 5 minutes or so per try. Additionally, you may get an HTTP 1.1 Server Too Busy error message even after you are in. Just keep clicking on the "Review and Install Updates" link on the left side pane and it will eventually let you in. When it does make a connection, the window or system may appear to hang for up to a minute or two. Just wait it out and it will eventually wake back up with the Blindly-Accept-Our-New-License-Terms window. Read the license terms thoroughl and print out a copy for your files (sorry, couldn't resist) and then OK" and the updates will then download (slowly) the needed files and install them.
To make matters worse, the worm will start a Denial of Service attack against the Windows Update site on Saturday Aug 16, so if you think it's bad now, you aint seen nothing yet.

Worm Trivia: The worm contains the following text, which is not displayed on the screen:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

If you experience either of the above symptoms on your PC's, you need to apply the appropriate patch from here immediately:

Windows XP Security Patch:
http://download.microsoft.com/download/9/8/b/98bcf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Windows 2000 Security Patch:
http://download.microsoft.com/download/0/1/f/01fdd 40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB8239 80-x86-ENU.exe
Windows NT 4.0 Security Patch:
http://download.microsoft.com/download/6/5/1/651c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Wind ows NT 4.0 Terminal Server Edition Security Patch:
http://download.microsoft.com/download/4/6/c/46c9c 414-19ea-4268-a430-53722188d489/Q823980i.EXE
Wind ows Server 2003 Security Patch:
http://download.microsoft.com/download/8/f/2/8f211 31d-9df3-4530-802a-2780629390b9/WindowsServer2003- KB823980-x86-ENU.exe

Then, run this program to scan your system for any remaining parts of the worm.

Removal Tool:
http://securityresponse.symantec.com/avcenter/Fix

Fix Info

[Jade+E.+2]

Once again, replying to myself. Oh, well.

I got to spend most of the day playing with this. Turns out this is msblast. The '60 seconds to reboot' thing only affects XP, not 2k. The reason we were getting these strange symptoms and nothing for the virus scanners to catch is that this is a failed msblast. The buffer overflow hit, but failed to download the payload through tftp. (Yes! Finally, an advantage to having your WAN links running at 750% of capacity - virus-induced TFTP transfers fail!) We found that installing MS03-026 on the system and rebooting cleared the weird behavior, and for one or two that did actually manage to download the actual virus file, Trend's newer virus defs find it and kill it mercilessly (even removing the registry entry.)(Trend pattern file v606, released yesterday, supposedly found msblast, but we didn't see any actual detections until v608 came out today. Could have just been that none of the machines had downloaded it yet yesterday...)

Hope this helps the people who had similar symptoms.

I live in MD

[Ogre332]

The MVA doesn't need a virus to slow it down. It crawls just fine on its own.