Security Incidents: RE: Q328691 ?

["Jason Coombs" <jasonc () science org>]

I wonder if the Certificate Chain Validation bug (Q328145) is being taken advantage of by a MITM to deliver malicious 
code to these boxes through Windows Update.

You should also disable SMB entirely if it isn't being used.

HKLM\System\Controlset001\Services\NetBT\Parameters\

SMBDeviceEnabled 
Key: Netbt\Parameters 
Value Type: REG_DWORD—Boolean 
Valid Range: 0, 1 (false, true) 
Default: 1 (true) 

Description: Windows 2000 supports a new network transport known as the 
SMB Device, which is enabled by default. This parameter can be used to 
disable the SMB device for troubleshooting purposes.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Bernt Lervik [mailto:Bernt.Lervik () softscenario no]
Sent: Sunday, September 08, 2002 12:19 PM
To: incidents () securityfocus com
Subject: Re: Q328691 ?


When I first heard about this QB I read it and didn't think much about it until a friend of mine called me late this 
evening. Apparently while she had been playing Dark Ages of Camelot over the Internet her NAVCE RealTime protection had 
stopped a file that had become infected. Norton reported it as IRC Trojan and it was the Ocxdll.exe mentioned in the QB.

I had her reboot in safemode and do a full virus-scan and drove over to her house. This is what I found:

The machine:
A Norwegian Windows 2000 Profesional with SP2 and all the security patches as of two days ago through Windows Update 
(SP3 has not come out yet in Norwegian). IE 6.0 is not installed. It looked pretty much like a default installation 
with Roger Wilco running and at the time was being used to play Dark Ages of Cameloth. It also had RealPlayer and NAVCE 
running. Norton being updated daily. The machine got a cable modem connection to the Internet with no firewall. All 
default ports are open and admin account is neither renamed nor has a password (sigh).

Norton had also stopped another file and quarantined it along with Ocxdll.exe, however I deleted it before I remembered 
to make a copy of it first. (Please remember this is Sunday evening/night on a private home machine).

The QB mentions 5 files, of those I found these three:
Gg.bat
NT32.ini
Ocxdll.exe

I also found MDM.exe and Taskmngr.exe in the %SystemRoot%\System32 folder and both running.

Taskmngr.exe has the description of "Internet Relay Chat Client" and was listening on port 131 but had no connections 
open. The file info says its mIRC32.exe version 5.7 and is of 442kb size.

MDM.exe has the description of "Hides/Reveals application windows", realname being: hidewndw.exe version 1.43. Size 22kb

It being late and I got work tomorrow morning I simply forgot to look for these three files also mentioned by the QB:
Psexec
Ws_ftp
Flashfxp

Furthermore I also forgot to check for Run keys in the registry/startup folder, but the files mentioned above has now 
been deleted. This I will probably take a closer look at tomorrow. Most services are now stopped and disabled, netbios 
turned off, sharing turned off and so on so that the machine itself should not become as easily reinfected. The machine 
is scheduled to become reinstalled with WinXP in a few days time regardless so not much time was spent strapping it 
down. It's also turned off :)

The QB mentiones that the Guest account might be reenabled but this was not the case here.

Should anyone want a copy of the files please send me an mail.
- Bernt

 

 

--- Bronek Kozicki <brok () rubikon pl> wrote:
> There seems to be an increase of attacks on Windows
> recently:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691> 
> Any ideas?
>
>
> B.

 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com