Interesting Virus/Trojan From Clean Install

  • Thread starter Thread starter Ari Silverstein
  • Start date Start date
A

Ari Silverstein

I was screwing around with an old laptop and decided to install W2K on a
clean drive. I did and the first and only thing that I tried to do was to
setup a dialup to my ISP. This went fine.

Until.......

after I made the connection I received a pop-up window telling me to go
to...

www.patchupdate.xxxx with the xxxx = info and that I needed to download a
registry cleaner and some other bullshit. This popup changed into French
and several other English spamads.

I went to Google and found nothing except people who had no answers and had
this happen to them before.

http://tinyurl.com/mo54l

I also checked my original copy of W2K, nothing shows up.

Anyone run across this before? The ISP is one of the five largest, I doubt
they threw it on me. lol
 
Sounds like you need to disable the Windows messaging service:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

FYI - this is not related to Windows Messenger/MSN Messenger. You will
still be able to IM with no problem.
Click to expand...

http://tinyurl.com/mo54l

To Quote: "You should never be getting those types of messages through
Windows Messenger. You could turn off Messenger, but that's like closing
your eyes just before the car crash. You really need to get a fire wall up
and running properly before things get more haywire than they are already."
 
http://tinyurl.com/mo54l

To Quote: "You should never be getting those types of messages through
Windows Messenger. You could turn off Messenger, but that's like closing
your eyes just before the car crash. You really need to get a fire wall up
and running properly before things get more haywire than they are already."
Click to expand...

First of all, there are 23 hits in that tinyrurl. Which one exactly are you
quoting? Context is everything.
Did you do as jedisb suggested? Did you visit the web page in his response?
That particular form of spamming was around quite awhile ago, I'm surprised
it is still being used.
You are not shutting down MSN Messenger or Windows Messenger. You want to
shut down the messenger service as suggested here
<http://groups.google.com/group/micr...atchupdate.info&rnum=1&hl=en#f38e0b8c07f761db>
and in jeisb's response.
 
I was screwing around with an old laptop and decided to
install W2K on a clean drive. I did and the first and only
thing that I tried to do was to setup a dialup to my ISP.
This went fine.

Until.......

after I made the connection I received a pop-up window
telling me to go to...

www.patchupdate.xxxx with the xxxx = info and that I needed
to download a registry cleaner and some other bullshit.
This popup changed into French and several other English
spamads.

I went to Google and found nothing except people who had no
answers and had this happen to them before.

http://tinyurl.com/mo54l

I also checked my original copy of W2K, nothing shows up.

Anyone run across this before? The ISP is one of the five
largest, I doubt they threw it on me. lol
Click to expand...

Disable Messenger Service - it's being misused by spammers.
That's *Messenger Service*

J
 
I was screwing around with an old laptop and decided to install W2K on a
clean drive. I did and the first and only thing that I tried to do was to
setup a dialup to my ISP. This went fine.

Until.......
Click to expand...

A fresh windows install will be compromised before you can patch it if
you put it directly on the net.

/steve
 
A fresh windows install will be compromised before you can patch it if
you put it directly on the net.
Click to expand...

May be, not will be. I've done many clean installations, downloaded
service packs to them and they stayed clean.
 
Al Klein said:
May be, not will be. I've done many clean installations, downloaded
service packs to them and they stayed clean.
Click to expand...

You must have gone directly to the update site before anywhere else?
 
May be, not will be. I've done many clean installations, downloaded
service packs to them and they stayed clean.
Click to expand...

The honeynet project has determined that the average time to compromize
for an unpatched windows machine directly on the net is under a minute.

/steve
 
Al Klein skrev:
May be, not will be.
Click to expand...

What about "will _probably_ be", then?
I've done many clean installations, downloaded
service packs to them and they stayed clean.
Click to expand...

There are several possible reasons why this might work. Maybe you're
behind NAT. I know some ISPs are blocking traffic known to carry certain
worms, maybe you have one of those. And then there is something called
blind luck. But generally I would advise against exposing any unpatched
and unprotected computer to the internet.

BTW, how do you know that a computer is clean? Because it does not crash
and/or display popups?
 
A fresh windows install will be compromised before you can patch it if
you put it directly on the net.

/steve
Click to expand...

It sure was but in the first dial-up connect between the laptop and the
ISP's website? Is this a MITM attack?
 
How else would you do it? Going to some unsafe site is rather stupid
anyway.
Click to expand...

Never went to the site that popped up. Went to ISP home page then to MSoft
looking for W2K SP4 upgrade package.
 
Al Klein skrev:


What about "will _probably_ be", then?


There are several possible reasons why this might work. Maybe you're
behind NAT. I know some ISPs are blocking traffic known to carry certain
worms, maybe you have one of those. And then there is something called
blind luck. But generally I would advise against exposing any unpatched
and unprotected computer to the internet.

BTW, how do you know that a computer is clean? Because it does not crash
and/or display popups?
Click to expand...

In my case, I used Wipeout after a format. Know for sure, naw, anything is
possible.
 
Ari Silverstein skrev:
It sure was
Click to expand...

Well, I would not call receiving a Messenger spam message being
"compromised". Annoying, yes, but Messenger spam is relatively harmless.

You _could_ still be compromised, though. There are far worse holes in a
default XP installation than an active Messenger service.
but in the first dial-up connect between the laptop and the
ISP's website?
Click to expand...

Yes. Worms bombard random IP addresses all the time. If you are not
protected, it is only a matter of time before you catch a stray bullet.
And that's rarely enough time to do a full patchup at WindowsUpdate.
Is this a MITM attack?
Click to expand...

No. A default Windows XP installation sans SPs and patches has several
running services expecting and accepting network connections. Some of
these services have displayed serious security vulnerabilities.
 
You must have gone directly to the update site before anywhere else?
Click to expand...

No, I usually have a fairly recent SP2 on CD, so I don't have to
connect to install that. Sometimes I just need or want something on
the net before I put in the service pack. It's not like there are a
dozen web sites constantly looking to see if my IP has suddenly become
active so they can try to infect my computer. And it's not like I
don't have a virtually unbreachable hardware firewall between me and
the world. Or that I can't rebuild a computer in a short time if,
somehow, it does become hopelessly infected. (I'd like to see the
virus that can infect the floppy that's in the desk drawer, or the PE
CD I can always boot with to clean the drive. Not this part of the
century, at least.)

I figure the cost/benefit ratio. If it's going to cost me 100 hours
to make sure that I don't waste 15 minutes, I'll take the chance.
3000% insurance premiums aren't worth anything. Neither is paranoia
that keeps me from accomplishing anything.

It's a computer, not a person. All my important data is backed up off
line. Always. The hard drive *IS* going to fail at some point. So
whether it's a spindle read or a virus, I have to be prepared to redo
or replace the computer and write the loss off. I'm not spending 20%
of my time downloading, installing, updating and nursing protection
programs. I haven't lost that much time due to viruses and Trojans
since the first one was written (and I've been programming computers
probably about that long).
 
The honeynet project has determined that the average time to compromize
for an unpatched windows machine directly on the net is under a minute.
Click to expand...

Then I'd better spend all my money on lottery tickets. My desktop has
been connected since Saturday evening (when I rebuilt a few things due
to a hardware crash) with no protection at all - XP Pro CD
installation, with no SP. (I'm on it now via VNC.) Evidently their
figures leave just a wee little bit to be desired.
 
Then I'd better spend all my money on lottery tickets. My desktop has
been connected since Saturday evening (when I rebuilt a few things due
to a hardware crash) with no protection at all - XP Pro CD
installation, with no SP. (I'm on it now via VNC.) Evidently their
figures leave just a wee little bit to be desired.
Click to expand...

The success of worms depends on exposed security leaks. If you don't
switch on Netbios or don't bind it to your internet connection, a
couple of attacks just will not hit you (for instance!), while others
get infected within minutes or seconds. The risk depends on overall
security settings. But surfing with a totally unpatched Windows
(whichever version) *is* hazardous and irresponsible. IMNSHO.

BeAr
 
Then I'd better spend all my money on lottery tickets. My desktop has
been connected since Saturday evening (when I rebuilt a few things due
to a hardware crash) with no protection at all - XP Pro CD
installation, with no SP. (I'm on it now via VNC.) Evidently their
figures leave just a wee little bit to be desired.
Click to expand...
There is no way to put this delicately, you are an idiot. Ask _any_
security person or someone knowledgeable about security issues if you
should ever put an unpatched server directly on the net. My guess is
that either you not directly on the net and are behind a nat or firewall
or you've been already compromised and just don't know it.

/steve
 
It's not like there are a
dozen web sites constantly looking to see if my IP has suddenly become
active so they can try to infect my computer.
Click to expand...

Actually, there are, there are thousands of infected machines scanning
networks looking for other machines to infect. This is why these hidden
machines that honeynet uses get compromised so quickly.
And it's not like I
don't have a virtually unbreachable hardware firewall between me and
the world.
Click to expand...

Then your argument is moot, you are not directly on the net.

/steve
 
Back
Top