Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sasser Worm Disruption Growing

Posted by CmdrTaco on from the thanks-again-microsoft dept.

thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."

59 of 999 comments (clear)

  1. Late... by tirenours · · Score: 2, Informative

    Even the news on the tv talked about it before /.

    1. re: Late... by c0defiant · · Score: 3, Informative

      Nope, this one was on /. first

  2. Internet Explorer? by Anonymous Coward · · Score: 5, Informative

    Sasser doesn't affect IE.

  3. Re:Another removal tool by BlackHawk-666 · · Score: 3, Informative

    Oh stupid me for typing the wrong slashes...try here instead. Oh well, a dose of humiliation before your peers is good for the humility gland.

    --
    All those moments will be lost in time, like tears in rain.
  4. Removal tool by Mindtoy · · Score: 5, Informative

    Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.

  5. Decent firewall, regular updates & common sens by Dark+Lord+Seth · · Score: 3, Informative

    These are the three secret ingredients to a relatively secure system. Read them. Learn them. Understand them.

    --
    Hate me!
  6. Don't blame Internet Explorer this time by joeykiller · · Score: 5, Informative

    The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.

    See this and this for more details.

    1. Re:Don't blame Internet Explorer this time by jjares · · Score: 3, Informative

      Actually, LSASS is the security validation services that SMB uses to validate a user when he is trying to request a resource, and that validates your user in a network that doesn't use Kerberos... I think login in most unixes runs as root too, so I don't see where microsoft went wront here.

  7. Not exactly a 0-day exploit by Zog+The+Undeniable · · Score: 4, Informative
    If you applied last month's critical patches OR you have a working firewall - even the basic XP one - you won't get it.

    Everyone with a Windows machine should sign up for MS's monthly security e-mail or religiously check Windows Update on the second Tuesday of each month. I won't go as far as recommending automatic updates, though.

    --
    When I am king, you will be first against the wall.
    1. Re:Not exactly a 0-day exploit by Proaxiom · · Score: 4, Informative
      An unfortunate factor of this worm is that the patch that fixes the exploited vulnerability - MS04-011, has been found to have stability problems and other issues in the field.

      This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.

  8. Re:Windows only by Paulrothrock · · Score: 2, Informative

    Wrong again. Apache has the largest market share in HTTP servers, and it's not the most hacked.

    --
    I'm in the hole of the broadband donut.
  9. Re:I have a question by manavendra · · Score: 5, Informative

    You mean other than scanning random IP addresses on successive TCP ports starting at 1068 and making copies of itself?

    Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

    It further makes copies of itself in the %Windows% directory.

    Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.

    --
    http://efil.blogspot.com/
  10. Re:Direct? by orbit0r · · Score: 5, Informative

    What could be more "directly from the Internet" than email?

    An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.

  11. Re:Could Sasser possibly affect Linux? by Aliencow · · Score: 5, Informative

    You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !

  12. Re:Please wake up... by Compholio · · Score: 2, Informative

    Because when the Linux Rah-Rah Club provides a patch for a security vulnerability it usually doesn't provide a new three vulnerabilities for the one it fixed. Even if the LRRC did provide such a patch someone would see the problems immediately and provide another one to fix them.

  13. firewall to the rescue by steve.m · · Score: 4, Informative

    It looks like it exploits LSASS.EXE by scanning for a listening port 445. Good job I've got all incoming blocked by default.

    Roll on XP SP2 with the firewall on by default for everyone, then hopefully things like this will go away....

  14. Re:Direct? by gunnk · · Score: 5, Informative

    Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.

    In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.

    That's why worms are "more directly from the internet" than email-based viruses.

    --
    Life is short: void the warranty.
  15. Correct attribution by Anonymous Coward · · Score: 1, Informative

    I think it's important that we all recognize Microsoft's role in this and always refer to these worms as "Microsoft(R) Windows(TM) $(wormname)", in this case the worm is called the Microsoft(R) Windows(TM) Sasser Worm.

    This way people won't get confused as for which platforms are compatible. Thank you.

  16. Re:I have a question by nordicfrost · · Score: 4, Informative

    Well, for one, it bogs down your network to a mush of syrup. All that looking for other hosts to infect really takes up a lot of capacity on the network. And the Sasser.D version is up to 1024 threads pr. CPU, up from 128 in the Sasser.B version...

  17. "sasser" in northern Europe by akaiONE · · Score: 2, Informative
    The Sasser-worm had its fair amount of success yesterday as it crashed the networks of insurance-giant 'If' and their competitor in Norway, 'Vesta'. Both companies blame corporate users with laptops for the glitches in the security system and media all over Norway reported the whole thing as "unavoidable".

    I have been giving this some thought, and quite frankly, even laptops can be locked down so that users are patched against this kind of attacks. The main issue in the IT-depts' of the companies mentioned above must surely have been giving it some thought yesterday; -Why did we not apply that patch from MS?

    The answers for many sysadmins is to apply patches in batches on a regular basis, unless there is something *mission critical* on the radar. Ofcourse such things as the patch available to stop "sasser"-worm may have slipped by the eyes of even expirienced sysadmins, especially when its not flagged with whistles and trumpets by Microsoft.

    Other sysadmins have choosen not to patch the vuln. due to its effect on VPN-connectivity as mentioned in other posts. The big question here is why Microsoft released a patch that disabled VPN in such a way. I realise it may have been the lesser of two evils, but hey, atleast they could have released the VPN-aware patch a little earlier than yesterday morning..

    Just my 0.02 Norwegian Kroner

    --

    "-Who said sit down?!"
    -- S. Ballmer @ MSDC 2003.

  18. Re:Windows only by Hrothgar+The+Great · · Score: 5, Informative

    People have short memories. There was an Apache worm about two years ago (in mod_ssl).

    Here is a link

    Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.

  19. Our server's protected by AC-x · · Score: 3, Informative

    A few days ago I saw a message from our firewall asking if I wanted to allow Security Authority Subsystem to be contacted by a remote host.

    A simple click on the "No" button stopped this worm in its tracks.

    If more admins just installed firewalls and made sure all unnecessary services were blocked there'd be a lot less worm infections. (sure it won't protect people who need to use the Security Authority Subsystem, but I'm willing to bet a lot of the infected machines don't use it at all)

  20. Kill the AVSERVT.EXE process! by denis-The-menace · · Score: 2, Informative

    AVSERVT.EXE is the FTP server that Sasser uses.
    It will show up as a very hungry process (77%+ CPU)

    Kill it and then you'll be able to patch the box.

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    1. Re:Kill the AVSERVT.EXE process! by CPlusPlusOwnsYou · · Score: 2, Informative

      Of course its located in the registry in the startup location and will be restarted everytime you reboot.

      Check the startup registry path for "Avservt.exe":
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

      --
      "Software is like sex: it's better when it's free."
  21. Problems are with windows, not IE by T.Hobbes · · Score: 5, Informative
    A few things:
    • It's a worm, not a virus
    • It's attacks Windows, not IE (despite Microsoft's efforts, there is still a distinction)
    • For the user, the main damage is that the infected computer will shut down; I have no reference, but shutdown loops have been reported
    • For the admin, the main damage is the flood of trafic sent out by the worm in search of new hosts
    • The worm can use Win98/WinME boxes to propegate but cannot infect those same computers

    Google cache of McAfee's page on the worm
    One of symantec's pages

  22. BEWARE NT4 TS + Citrix admins!! by SlashDread · · Score: 4, Informative

    The patch from MS : http://www.microsoft.com/technet/security/bulletin /MS04-011.mspx

    just BSOD'ed my Citrix server.

    YMMV

    "/Dread"

    1. Re:BEWARE NT4 TS + Citrix admins!! by Rick.C · · Score: 4, Informative
      There's a Terminal-Server-specific security rollup patch (SRP) that must be applied first. Check the MS MS04-011 page.

      I would hope that MS04-011 would check for the presence of the SRP, but who knows?

      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
  23. Correction by CPlusPlusOwnsYou · · Score: 2, Informative

    The problem isn't with internet explorer. It's with a program called lsass.exe or the "Local Security Authority System Service".

    It takes advantage of the open ports in Windows (as if microsoft didnt learn from NetBios).

    In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

    Check if port 445 is open on your system (you have to do a regedit hack to close it)

    http://www.petri.co.il/what_is_port_445_in_w2kxp .h tm

    The above site has a detailed information on howto use regedit.exe to disable port 445 in Win2k/XP.

    --
    "Software is like sex: it's better when it's free."
  24. Re:Yeah..you're telling me... by Anonymous Coward · · Score: 1, Informative

    Maybe capital punishment for the IT support team that doesn't keep the PCs that they are responsible for patched would be more appropriate???

    The patch came out weeks ago... if you had applied it, you wouldn't be having problems.

    SUS server is free and actually works quite well.

  25. Had to share this... by Anonymous Coward · · Score: 1, Informative

    This image compares Microsoft and Apple's home pages recently. Note how Microsoft's webpage is dominated by security warnings, while Apple's is dominated by news about new features and products.

  26. Re:Microsoft's "fixes" by getling · · Score: 5, Informative

    Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....

    --
    "Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
  27. Re:I have a question by interiot · · Score: 4, Informative

    Just a note regarding 0-day exploits: SysInternals (the people who brought you filemon, regmon, etc) write BGInfo, a low-CPU no-memory way of displaying important system properties. If you do have it installed, you can tell it to display the timestamp of the file C:\Program Files\WindowsUpdate\V4\iuhist.xml, which should be the last time WindowsUpdate was run, helping remind you to run it frequently.

  28. Actually related to Internet Explorer? by Junks+Jerzey · · Score: 2, Informative

    Yet another virus is causing problems with Internet Explorer

    Does it have anything to do with Internet Explorer? Neither of the links provided mentioned anything at all about IE.

  29. Backdoor Dangers by gregarican · · Score: 2, Informative

    To me the more dubious part of the Sasser worm is that it can lead to other backdoor processes being planted on a host PC. That's why some sources are stating that just running a removal tool and then patching is enough. The backdoor processes would still be present on the host PC. That means the best removal tool would be the old format command. Ouch.

    Starting with Code Red and Slammer I would just bash Microsoft without regard to any other factors. But now I am seeing things a bit more objectively. After all, these recent exploits weren't created until after the security bulletins and patches were released to the public. And there was about a full two weeks for the public to patch their systems.

    If Linux had as broad of a home user base I'm sure some published vulnerabilities and patches would result in much the same. Joe Six Pack, whether using Windows or Linux, would be slow to patch their systems. And that would lead to some rather uninventive script kiddies writing easy exploits working off of published POC examples.

  30. Re:I have a question by Ashtead · · Score: 2, Informative

    No joke, this company is for for real. And yes, I do not think they chose that good of a name either. But this is the result of the fusion of several insurance companies, including some with names like "Storebrand" and "Norges Brannkasse" names which reveal the focus on fire insurance (Brann == fire) in a country where most houses are made of wood.

    --
    SIGBUS @ NO-07.308
  31. Re:What ARE Win98SE users supposed to do? by gregarican · · Score: 4, Informative

    Just like the ASN.1 vulnerability that is patched through one of the recent Microsoft patches. Supposedly Win98/ME PC's aren't affected by the issue. But looking at my company's Win98 PC's I saw the msasn1.dll file present. And researching things a little bit I saw that the standard implementation of the ASN.1 command parser is affected on any and all platforms. From a Nortel H.323 gateway to a Cisco router to a Windows 2003 Server to a Windows 98 PC.

    This was months ago that I read this. I called into the Microsoft PCSAFETY toll free number and a tech indeed acknowledged that Windows 98 and ME PC's were vulnerable. And they e-mailed me a link to download the patch (not one of the hoax e-mails either, so no jokes!!). Since then I deployed it to all of my Windows 98 PC's and know that they are at the same standard as the Windows 2000 and XP machines.

    What kind of company releases patches and leaves out some client versions that are still safe from the EOL cycle? That's what Microsoft did with the ASN.1 patch.

    And what kind of company releases patches that obviously weren't tested on clients that were running USB storage, DLT storage, and IPSec agents? Look at the KB835732 patch. It broke all of these driver loads, leaving patched PC's running at 99% CPU utilitization after rebooting.

    Nice, really nice. Risk stability and compatibility issues versus being exposed to an Internet-borne worm. I'm not blaming Microsoft for having vulnerabilities. All OS'es do to one degree or another. But I am blaming them for leaving our client versions and not thoroughly testing code they should've been working on for 5 months.

  32. Old MainFrame Days.. by nurb432 · · Score: 2, Informative

    I used to work at a remote IBM shop years ago, you could tell the mainframe was down when you walked in the ofice and saw the people roaming the halls..

    It was 4 states away, nothing we could do about it, but have chair races and hit the vending machines...

    --
    ---- Booth was a patriot ----
  33. The patch kb835732 breaks oracle by Maliq · · Score: 3, Informative
    Here is the kicker, if you're running oracle 8i to 9 when you run the patch it stops oracle from starting. And the worm that is running around automatically fixing the problem, it doesn't check if your running oracle, could someone update that good bug to check??

    this is going to be a long day.

    1. Re:The patch kb835732 breaks oracle by djmurdoch · · Score: 2, Informative

      That patch also broke R (the open source stats package). We tracked it down to the fact that after installing the patch, the HOMEPATH environment variable is no longer set properly.

      Details here.

      By the way, we had a patch out to work around this bug within a couple of days. Open source is good.

  34. Re:Sassier *is* a virus by American+AC+in+Paris · · Score: 5, Informative
    It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!

    No, that's inaccurate.

    Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.

    Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.

    So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.

    --

    Obliteracy: Words with explosions

  35. Auto updates and quick patches by truthsearch · · Score: 5, Informative

    Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.

    It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.

    --
    Developers: We can use your help.
    1. Re:Auto updates and quick patches by crotherm · · Score: 2, Informative

      Is The Boeing Company large enough for you? The admins have been running around patching like fools the past few days either by hand, or an SMS push.

      Ever since the company got owned by the Slammer virus, they have been very proactive in mandating patches.

      Of course as soon a patch breaks something..... :)

      --
      "Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
    2. Re:Auto updates and quick patches by mpe · · Score: 2, Informative


      Bah...like Linux or OS X or BSD or Solaris are any better. Nobody really has desktop patches down all that well, the users make the machines too personalized.

      What you are missing is that with unix type systems there are clear distinctions between what is "Operating System" and what is "Application" (as well as "user" and "sys-admin"). Whereas with Windows things are quite deliberatly intertwined.

      Plus, any OS that has 95% of the desktop market is going to attract worm/virus writers, and I don't care how open or closed source the code is. If things were reversed and Linux was had hundreds of millions of installs it'd be hacked to pieces.

      This explains why IIS is more commonly attacked than Apache, even though IIS is a minority webserver. Possibly even more important than numbers is how "attackable" a platform is and how "malware friendly" it is.

      Even now I get all kinds of patches on my RedHat and SuSE boxes, it's no different than Windows.

      It's a lot different from Windows. The typical Linux distribution contains a huge amount of software, which in many cases includes several alternatives for the same function. As well as many pieces of software which will only be installed on a few machines. Desiging a worm which will "work" is sveral orders of magnitude easier with the homogeneous Windows population than the heterogeneous Linux population. Even the "Redhat", "SuSE", "Debian", "Gentoo", etc populations are likely to far more diverse than the Windows population.

      It's easy to maintain and patch 10K servers of any kind because you have control over everything. But any kind of desktop support is going to suck major a$$, regardless of the OS.

      It matters a lot if you are dealing with a "workstation" class of operating system or a "personal computer" class of operating system. Just bacause Microsoft have tacked "workstation" only the name of their product does not mean that it is a workstation OS. Single user, personal computer design assumptions are still there in Windows and a lot of Windows software. e.g. that which requires the user to have administrator privs to even run...

  36. Re:M$ - First Post? by BlackHawk-666 · · Score: 2, Informative
    We will start to see the same sorts of problems I suspect, but the damage will be more limited, most likely only to the user(s) who fell for the hack if it's a social engineering attack. To help mitigate teh problem we need distros to be careful in how they provide the default setup. i.e. use Mozilla instead of IE, built in firewall on each machine using IPTABLES but with a nice interface like Zonealarm or similar. Then, as long as the mail client (I like KMail, but most are pretty damn good) is *not* script enabled it will be done to good old buffer overflows to work their magic. Oh yeh, not installing services unless requested would also be smart, and then perhaps using IPTABLES or hosts.allow to keep the consumers of the services just down to the local private subnet should do the trick for most stuff.

    Finally, make sure they use apt-get or similar to automatically update their machine. This could be configured at install or afterwards as the user grows to know their machine. A default install might be to download all security patches and install with only a confirmation from the end user. A power install would just get the patches, but not install until instructed.

    --
    All those moments will be lost in time, like tears in rain.
  37. Re:Remote Desktop vs. VNC? by gregarican · · Score: 2, Informative

    Remote Desktop Connection encrypts the data transmission. Similar to using MPPE/PPTP for a VPN connection to a Windows host. VNC by itself doesn't encrypt data transmission. You can tunnel VNC through an SSH connection to do this, however. But straight out of the box I would say RDC is your more secure alternative.

  38. Re:Windows only by Tin+Foil+Hat · · Score: 4, Informative

    PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch

    That's because windows update installs via an ActiveX object. Only IE can run that. You probably downloaded the ActiveX object, but since it can't run without IE, it didn't download the update. If you need to download the update separately, check out the adminstrator section of windows update. MS provides all updates as a separate download that you can burn to a disk and install that way.

    --
    No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
  39. Re:Yeah..you're telling me... by Smidge204 · · Score: 4, Informative

    No, but if the cops can't run a plate or license number check during a routine traffic stop, you won't know if there's a warrent out on the guy for a series of violent crimes.

    Just an example. The ability for the police to do thier job in any capacity relies on the ability to get and share information. It's pretty rare that the cop actually witnesses the mugging, but a witness description, cross referenced with other reports from the head office, might lead to the ID of a suspect.
    =Smidge=

  40. Reverse FUD by E-Rock · · Score: 3, Informative

    It's bullshit and you know it. One of the April 13th patches funged IE, and within a week there was a follow-up patch, that still leaves you two more weeks to patch.

    What else did it break? Nothing?

  41. Horray for Roadrunner. by llzackll · · Score: 2, Informative

    Ever since last year, roadrunner has been blocking inbound ports 135, 136, 137, 138, 139, 445, 520, 593, and 1026 in most areas. They learned their lesson from the Blaster worm. WHy other ISP's haven't done the same thing amazes me. Unlike most of you, who deal with corporate networks, I have to deal with the public on this. I must of removed this worm from at least 40 PC's yesterday. Most of them users of Verizon DSL, or MSN. None of them who had Roadrunner were infected.

  42. Re:Destructive Virus? by praxis · · Score: 2, Informative

    The patch has been available for a month, and the built-in firewall prevents it too. Two layers of defense. Did they not do their due diligence? And don't give me the "there shouldn't be bugs in the first place" because as anyone who writes code knows, there are always bugs.

  43. Re:evolution? by Flyboy+Connor · · Score: 3, Informative
    Funny, I give such a university course too.

    Anyway, by DEFINITION a genetic algorithm uses a population, and also by DEFINITION it uses sexual reproduction (see Thomas Bäck's excellent book comparing several evolutionary techniques, "Evolutionary Algorithms in Theory and Practice", 1996).

    If you use pure mutation on a single solution, the term to use would be "Evolution Strategy".

    If you want to exclude sexual reproduction, or use any evolutionary technique without bothering about definitions, use the term "evolutionary algorithm", which is an umbrella-name covering all evolutionary techniques.

    I know that people are often a bit loose about what terms to use, but since this is one of my particular subjects of research, I am a bit anal about it.

    Finally, AFAIK, there are already virusses and worms that mutate themselves. I don't have any definite examples, though.

  44. Patch 835732 also breaks Perl Authen::NTLM module by aspeer · · Score: 2, Informative
    Have a Perl program that uses NTLM to authenticate to an IIS server and download pages ? Prepare for it to break when the IIS server has the above mentioned patch installed, if your app used the CPAN Authen::NTLM module.

    See Google thread here for further info, and possible fix.

    My biggest hassle is not distributing the patches, it is the fact that they do not become effective until the machine is rebooted. Some people leave their machines on for weeks at a time without rebooting, and until they do so their machine is vulnerable.

    Try to force a reboot, then sit back and listen to the whining about "lost an all night experiment" or similar. I am a somewhat a BOFH and would like not to give users a choice, but management wants a softly, softly approach.

    So Microsoft, to try and keep both of us happy how about getting patches to at least hook (intercept) the vulnerable system call at install time, acting as a shim to filter out exploits, even if it means slowing the machine down slighty. Then at next reboot time install and activate the fully patched replacement DLL.

  45. Two huge gaping problems by Aslan72 · · Score: 5, Informative
    Sasser.d attacked our University last night and we noticed two particular things.

    1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.

    2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.

    --pete

  46. Because virus writers are not subtle enough... by alispguru · · Score: 3, Informative
    A "really bad" worm would:

    spread fast for the first few hours or days, until it saturated the vulnerable population, then cut way back on network traffic and hide.

    not crash machines or trash all their files - instead, it would slowly and subtly modify user data files (see here for a few suggestions).

    Imagine what would happen to modern business if they discovered that they couldn't trust any document that had ever touched a Windows machine... the world's economy would grind to a halt. Not even Microsoft has enough money to pay damages for an event like that, though the combined law firms of the world would try to get it from them.

    --

    To a Lisp hacker, XML is S-expressions in drag.
  47. Re:Firewall for Win2k? by gregarican · · Score: 2, Informative

    Windows 2000 has firewall protection built-in. It's not enabled by default, which is a shame. But anyway, go into the Properties of the Local Area Network Connection. Then click on TCP/IP Properties. Then click on the Advanced button. There you will see under the Options tab a TCP/IP Filtering option. That is where you can open or close any TCP/UDP ports you want.

  48. Re:How Come These Things Are Not REALLY Bad by advocate_one · · Score: 2, Informative

    been done before... the "I LOVE YOU" one replaced *.jpg files with *.jpg.vbs copies of itself that became activated when the user tried to view the file. Our tech publishing house had a very close call when a manager's laptop was connected to the admin share... only those images (just clip-art) on the admin share got clobbered cos that manager didn't have write access to the graphics department's share.

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  49. Re:Don't worry.... by slashdot_commentator · · Score: 2, Informative

    Don't blame the user for an inadequate network design. Servers should be segregated from "users" on separate subnets with firewalls between them. You can poke some more holes into the internal firewalls to account for applications; it sure beats having nothing.

    --
    There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
  50. Re:Yeah..you're telling me... by Anonymous Coward · · Score: 2, Informative
    Some of us use Mac OS X.
    Better get QuickTime and iTunes patched then:

    Apple QuickTime (QuickTime.qts) Heap Overflow

    :o)
  51. Re:in our case? a broken network. by zcat_NZ · · Score: 2, Informative

    If you can't afford "any possiblity of data corruption", then in my opinion you can't afford to have this computer on the internet at all. Patched or otherwise.

    If you really need to get data to and from the machine, stick it on a LAN with no direct connection to the real world. Or use rewritable CD's, whatever..

    Any "Regulatory Compliance" that would let you leave an unpatched Windows machine on the internet is insane.

    --
    455fe10422ca29c4933f95052b792ab2