[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q328691 ?



I wonder if the Certificate Chain Validation bug (Q328145) is being taken advantage of by a MITM to deliver malicious code to these boxes through Windows Update.

You should also disable SMB entirely if it isn't being used.

HKLM\System\Controlset001\Services\NetBT\Parameters\

SMBDeviceEnabled 
Key: Netbt\Parameters 
Value Type: REG_DWORD—Boolean 
Valid Range: 0, 1 (false, true) 
Default: 1 (true) 

Description: Windows 2000 supports a new network transport known as the 
SMB Device, which is enabled by default. This parameter can be used to 
disable the SMB device for troubleshooting purposes.

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

-----Original Message-----
From: Bernt Lervik [mailto:Bernt.Lervik@xxxxxxxxxxxxxxx]
Sent: Sunday, September 08, 2002 12:19 PM
To: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Q328691 ?


When I first heard about this QB I read it and didn't think much about it until a friend of mine called me late this evening. Apparently while she had been playing Dark Ages of Camelot over the Internet her NAVCE RealTime protection had stopped a file that had become infected. Norton reported it as IRC Trojan and it was the Ocxdll.exe mentioned in the QB.

I had her reboot in safemode and do a full virus-scan and drove over to her house. This is what I found:

The machine:
A Norwegian Windows 2000 Profesional with SP2 and all the security patches as of two days ago through Windows Update (SP3 has not come out yet in Norwegian). IE 6.0 is not installed. It looked pretty much like a default installation with Roger Wilco running and at the time was being used to play Dark Ages of Cameloth. It also had RealPlayer and NAVCE running. Norton being updated daily. The machine got a cable modem connection to the Internet with no firewall. All default ports are open and admin account is neither renamed nor has a password (sigh).

Norton had also stopped another file and quarantined it along with Ocxdll.exe, however I deleted it before I remembered to make a copy of it first. (Please remember this is Sunday evening/night on a private home machine).

The QB mentions 5 files, of those I found these three:
Gg.bat
NT32.ini
Ocxdll.exe

I also found MDM.exe and Taskmngr.exe in the %SystemRoot%\System32 folder and both running.

Taskmngr.exe has the description of "Internet Relay Chat Client" and was listening on port 131 but had no connections open. The file info says its mIRC32.exe version 5.7 and is of 442kb size.

MDM.exe has the description of "Hides/Reveals application windows", realname being: hidewndw.exe version 1.43. Size 22kb

It being late and I got work tomorrow morning I simply forgot to look for these three files also mentioned by the QB:
Psexec
Ws_ftp
Flashfxp

Furthermore I also forgot to check for Run keys in the registry/startup folder, but the files mentioned above has now been deleted. This I will probably take a closer look at tomorrow. Most services are now stopped and disabled, netbios turned off, sharing turned off and so on so that the machine itself should not become as easily reinfected. The machine is scheduled to become reinstalled with WinXP in a few days time regardless so not much time was spent strapping it down. It's also turned off :)

The QB mentiones that the Guest account might be reenabled but this was not the case here.

Should anyone want a copy of the files please send me an mail.
- Bernt

 

 

--- Bronek Kozicki <brok@xxxxxxxxxx> wrote:
> There seems to be an increase of attacks on Windows
> recently:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691> 
>
> Any ideas?
>
>
> B.
>
>
>
>


 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com