W2K Professional Install with original CD (pre-service packs)...a humbling experience.

[John Roberts]

I'm using Windows 98SE now and wanted to see if Windows 2000 Pro would
be a good upgrade for my home PC. Luckily, I have an older PC kicking
around that I like to test these ideas on before I screw anything up
with my bright ideas.

I booted from the original W2K Pro install CD and reformatted the
drive using the NTFS file system. The install proceeded normally save
for a CLASSES.ZI_ file that wouldn't copy over (skipped it without
subsequent problems).

After configuring my system to access the Internet, my first idea was
to visit Windows Update to get the latest Service Packs and HotFixes.
Before I could get very far though, I figure my PC was attacked by
various viruses until the CPU usage rose to 100% with the DSL modem
lights flashing like crazy. Suffice to say, SP4 didn't make it onto my
system. Tried the whole thing again with McAfee Firewall/VS installed
and started getting all kinds of firewall messages about tftp.exe
services.exe, svchost.exe trying to access the Internet. After a
while, I didn't know what to let through or not and couldn't access
the Internet. When I shut down the firewall, virus warnings started
popping ad nauseum.

MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable? Can a
vulnerable W2K PC be detected that quickly and exploited within
minutes of accessing the Internet? Is the only solution to download
SP4 and all the hotfixes and apply them off-line before even thinking
of connecting to the Internet? I know you can make an updated
installation (with all the fixes applied) if you have Windows 2000
already, but I can't with my Windows 98.

Might have been a tampered install CD though (it was a copy), but I
scanned it up and down with McAfee (latest everything) and there was
nothing detected.

 

[Gary H]

I'm using Windows 98SE now and wanted to see if Windows 2000 Pro would
be a good upgrade for my home PC. Luckily, I have an older PC kicking
around that I like to test these ideas on before I screw anything up
with my bright ideas.

I booted from the original W2K Pro install CD and reformatted the
drive using the NTFS file system. The install proceeded normally save
for a CLASSES.ZI_ file that wouldn't copy over (skipped it without
subsequent problems).

A good reason to make a backup copy of the install CD. It will still
be bootable if copied using a CD copier (not file copy).

After configuring my system to access the Internet,

Probably your DSL setup (could that be where the virus is getting
in?). With a router, no special setup is required (other than about 3
clicks, no software install).

my first idea was
to visit Windows Update to get the latest Service Packs and HotFixes.
Before I could get very far though, I figure my PC was attacked by
various viruses until the CPU usage rose to 100% with the DSL modem
lights flashing like crazy.

I have cable internet, and the modem light is about as active when I'm
not using it as with heavy usage. Lots of connection attempts. They
all get blocked at my router.

Suffice to say, SP4 didn't make it onto my
system. Tried the whole thing again with McAfee Firewall/VS installed
and started getting all kinds of firewall messages about tftp.exe
services.exe, svchost.exe trying to access the Internet. After a
while, I didn't know what to let through or not and couldn't access
the Internet.

That happens. When in doubt, deny access. If something then doesn't
work, turn it back on.

When I shut down the firewall, virus warnings started
popping ad nauseum.

Is it possible you forgot to block "file and printer sharing"? That
should NEVER be allowed on the internet.

MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable?

Yes, there are that many viruses around, but what would you be doing
to make youe system that susceptable? I have installed w2k several
times recently, and always update before doing anything else (other
than install the NIC driver is necessary). I haven't had any problems.

Anyway, you can't be infected by a virus unless you're doing something
(like reading email or running a server). Don't do anything like that
until you've got a firewall installed.

Consider adding a router to your network. It won't stop EVERYTHING,
but it does block incoming connections (and can be configured for
PPPoE, as most DSL systems require).

Can a
vulnerable W2K PC be detected that quickly and exploited within
minutes of accessing the Internet?

I heard the average time it takes (with Windows) is about 4 minutes.

Is the only solution to download
SP4 and all the hotfixes and apply them off-line before even thinking
of connecting to the Internet?

That would be a good idea. Also, you'll have it when MS decides not
to support 2000 any more.

I know you can make an updated
installation (with all the fixes applied) if you have Windows 2000
already, but I can't with my Windows 98.

Might have been a tampered install CD though (it was a copy

Being a copy would have nothing to do with it, unless there was a
copying error.

), but I
scanned it up and down with McAfee (latest everything) and there was
nothing detected.

MS probably already checked the master CD.

 

[Dave Patrick]

The newer OS's, including Windows 2000, XP, 2003, are always the current
target for virus writers. To do a clean install, either boot the Windows
2000 install CD-Rom or setup disks. The set of four install disks can be
created from your Windows 2000 CD-Rom; change to the \bootdisk directory on
the CD-Rom and execute makeboot.exe (from dos) or makebt32.exe (from 32 bit)
and follow the prompts.

When you get to the point, delete the existing NTFS and or other partitions
found. After you delete the partition(s) abort the install, then again
restart the pc booting the CD-Rom or setup disks to avoid unexpected drive
letter assignments with your new install.

Be sure to apply these to your new install before connecting to any network.

http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm using Windows 98SE now and wanted to see if Windows 2000 Pro would
| be a good upgrade for my home PC. Luckily, I have an older PC kicking
| around that I like to test these ideas on before I screw anything up
| with my bright ideas.
|
| I booted from the original W2K Pro install CD and reformatted the
| drive using the NTFS file system. The install proceeded normally save
| for a CLASSES.ZI_ file that wouldn't copy over (skipped it without
| subsequent problems).
|
| After configuring my system to access the Internet, my first idea was
| to visit Windows Update to get the latest Service Packs and HotFixes.
| Before I could get very far though, I figure my PC was attacked by
| various viruses until the CPU usage rose to 100% with the DSL modem
| lights flashing like crazy. Suffice to say, SP4 didn't make it onto my
| system. Tried the whole thing again with McAfee Firewall/VS installed
| and started getting all kinds of firewall messages about tftp.exe
| services.exe, svchost.exe trying to access the Internet. After a
| while, I didn't know what to let through or not and couldn't access
| the Internet. When I shut down the firewall, virus warnings started
| popping ad nauseum.
|
| MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable? Can a
| vulnerable W2K PC be detected that quickly and exploited within
| minutes of accessing the Internet? Is the only solution to download
| SP4 and all the hotfixes and apply them off-line before even thinking
| of connecting to the Internet? I know you can make an updated
| installation (with all the fixes applied) if you have Windows 2000
| already, but I can't with my Windows 98.
|
| Might have been a tampered install CD though (it was a copy), but I
| scanned it up and down with McAfee (latest everything) and there was
| nothing detected.

 

[Andy]

I suggest you use a firewall that does not bug you unnecessarily. Try
Outpost Pro <http://www.agnitum.com/>, and accept the default
settings.

 

[Leythos]

MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable? Can a
vulnerable W2K PC be detected that quickly and exploited within
minutes of accessing the Internet? Is the only solution to download
SP4 and all the hotfixes and apply them off-line before even thinking
of connecting to the Internet? I know you can make an updated
installation (with all the fixes applied) if you have Windows 2000
already, but I can't with my Windows 98.

If you are not sitting behind an NAT device you are always asking for
trouble - it doesn't really matter what OS you are using, unless you
lock it down BEFORE you connect to the Internet. None of these systems
(Win) are designed to be secure in their default install, even 98. If
you had taken the time to read up on MS's site about safely installing
Windows 2000 or XP you might have been able to get the Updates without
being compromised, but, since we show thousands of probes per day on our
networks from compromised machines, it's not likely that any default
install could get patched and updated before it's compromised - unless
you took the steps to secure it BEFORE you connected it to the net.

Get a DSL Router with NAT and you can be a lot safer and not have to
completely lock everything down - NAT is sort-of like a 1-way only
firewall (I can't believe I said that).

 

[Gary H]

If you are not sitting behind an NAT device you are always asking for
trouble - it doesn't really matter what OS you are using, unless you
lock it down BEFORE you connect to the Internet. None of these systems
(Win) are designed to be secure in their default install, even 98. If
you had taken the time to read up on MS's site about safely installing
Windows 2000 or XP you might have been able to get the Updates without
being compromised, but, since we show thousands of probes per day on our
networks from compromised machines, it's not likely that any default
install could get patched and updated before it's compromised - unless
you took the steps to secure it BEFORE you connected it to the net.

Get a DSL Router with NAT and you can be a lot safer and not have to
completely lock everything down - NAT is sort-of like a 1-way only
firewall (I can't believe I said that).

--

Note that you should still have a software firewall before USING the
updated system, although NAT will protect you during the install. A
router isn't as expensive as it used to be.

 

[Billy]

I'm using Windows 98SE now and wanted to see if Windows 2000 Pro would
be a good upgrade for my home PC. Luckily, I have an older PC kicking
around that I like to test these ideas on before I screw anything up
with my bright ideas.

I booted from the original W2K Pro install CD and reformatted the
drive using the NTFS file system. The install proceeded normally save
for a CLASSES.ZI_ file that wouldn't copy over (skipped it without
subsequent problems).

After configuring my system to access the Internet, my first idea was
to visit Windows Update to get the latest Service Packs and HotFixes.
Before I could get very far though, I figure my PC was attacked by
various viruses until the CPU usage rose to 100% with the DSL modem
lights flashing like crazy. Suffice to say, SP4 didn't make it onto my
system. Tried the whole thing again with McAfee Firewall/VS installed
and started getting all kinds of firewall messages about tftp.exe
services.exe, svchost.exe trying to access the Internet. After a
while, I didn't know what to let through or not and couldn't access
the Internet. When I shut down the firewall, virus warnings started
popping ad nauseum.

MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable? Can a
vulnerable W2K PC be detected that quickly and exploited within
minutes of accessing the Internet? Is the only solution to download
SP4 and all the hotfixes and apply them off-line before even thinking
of connecting to the Internet? I know you can make an updated
installation (with all the fixes applied) if you have Windows 2000
already, but I can't with my Windows 98.

Actually you can use Win98 to download the SP4 pack and create a
slipstreamed W2K install CD. Google for info.

 

[Gary H]

Actually you can use Win98 to download the SP4 pack and create a
slipstreamed W2K install CD. Google for info.

I downloaded SP4 too. This will be useful when MS gives up on
supporting 2000.

 

[box1220]

Thanks Dave, that was exactly the info I needed. I had tried to apply
just SP4 before going online, but within two minutes a gray window
popped up with an advertisement warning me that I was susceptible to
the 'buffer overrun exploit' and that I should visit 'updatepatch.info'
for the fix. This dubious looking website charges $19.95 for the 'fix',
but my guess is that it's your credit card info they're after. It's a
scary world out there, how the average layperson keep from getting
screwed is beyond me. Thanks to all those who replied.

The newer OS's, including Windows 2000, XP, 2003, are always the current
target for virus writers. To do a clean install, either boot the Windows
2000 install CD-Rom or setup disks. The set of four install disks can be
created from your Windows 2000 CD-Rom; change to the \bootdisk directory on
the CD-Rom and execute makeboot.exe (from dos) or makebt32.exe (from 32 bit)
and follow the prompts.

When you get to the point, delete the existing NTFS and or other partitions
found. After you delete the partition(s) abort the install, then again
restart the pc booting the CD-Rom or setup disks to avoid unexpected drive
letter assignments with your new install.

Be sure to apply these to your new install before connecting to any network.http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm using Windows 98SE now and wanted to see if Windows 2000 Pro would
| be a good upgrade for my home PC. Luckily, I have an older PC kicking
| around that I like to test these ideas on before I screw anything up
| with my bright ideas.
|
| I booted from the original W2K Pro install CD and reformatted the
| drive using the NTFS file system. The install proceeded normally save
| for a CLASSES.ZI_ file that wouldn't copy over (skipped it without
| subsequent problems).
|
| After configuring my system to access the Internet, my first idea was
| to visit Windows Update to get the latest Service Packs and HotFixes.
| Before I could get very far though, I figure my PC was attacked by
| various viruses until the CPU usage rose to 100% with the DSL modem
| lights flashing like crazy. Suffice to say, SP4 didn't make it onto my
| system. Tried the whole thing again with McAfee Firewall/VS installed
| and started getting all kinds of firewall messages about tftp.exe
| services.exe, svchost.exe trying to access the Internet. After a
| while, I didn't know what to let through or not and couldn't access
| the Internet. When I shut down the firewall, virus warnings started
| popping ad nauseum.
|
| MY QUESTION IS (as a naive Win98 user), is W2K that vulnerable? Can a
| vulnerable W2K PC be detected that quickly and exploited within
| minutes of accessing the Internet? Is the only solution to download
| SP4 and all the hotfixes and apply them off-line before even thinking
| of connecting to the Internet? I know you can make an updated
| installation (with all the fixes applied) if you have Windows 2000
| already, but I can't with my Windows 98.
|
| Might have been a tampered install CD though (it was a copy), but I
| scanned it up and down with McAfee (latest everything) and there was
| nothing detected.

 

[Dave Patrick]

You're welcome.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

| Thanks Dave, that was exactly the info I needed. I had tried to apply
| just SP4 before going online, but within two minutes a gray window
| popped up with an advertisement warning me that I was susceptible to
| the 'buffer overrun exploit' and that I should visit 'updatepatch.info'
| for the fix. This dubious looking website charges $19.95 for the 'fix',
| but my guess is that it's your credit card info they're after. It's a
| scary world out there, how the average layperson keep from getting
| screwed is beyond me. Thanks to all those who replied.

 

[Leythos]

Thanks Dave, that was exactly the info I needed. I had tried to apply
just SP4 before going online, but within two minutes a gray window
popped up with an advertisement warning me that I was susceptible to
the 'buffer overrun exploit' and that I should visit 'updatepatch.info'
for the fix. This dubious looking website charges $19.95 for the 'fix',
but my guess is that it's your credit card info they're after. It's a
scary world out there, how the average layperson keep from getting
screwed is beyond me. Thanks to all those who replied.

If you were to have your computers behind a small NAT Router (like
Linksys BEFSR41) you would not have those problems. The router would
block unsolicited inbound traffic and let you setup/install/patch in a
safe environment.

There is also a CLEAR MS document on how to setup a machine BEFORE you
connect the network cable so that you can get service packs once you
connect the cable without getting compromised.

 

[Guest]

You're welcome.

Nuff said....

 

[Guest]

Normally I wouldn't necro a post like this, but I understand exactly what was
explained and I don't think many of you really understand how not secure this
really is. I could have told his story word for word. I got the first .NET
install up, then when I rebooted it was time for the critical patch to .NET
.... and I'm thinking, ok so I'm vulnerable during this time but what are the
odds? lol. Well, I got attacked and hacked and compromised at the "exact
second" the .NET download started. It only took a second cause I have the
log that documents the attempt and success entering my network and politely
asking to be a guest with system priveleges, which my machine gladly obliged.
But it happened more than once which made me think it was a normal Microsoft
log file running locally to register the .NET crap and patches. the
conversation (log file) went kinda like this:

Hi mr security, can I have a list of your users?
No, only valid club members can have that.
Can I just peruse the contents of your deepest secrets then?
No, only valid club members can have that.
What club is it?
WORKGROUP
Can I be a member of WORKGROUP?
Yes. You are now a member of WORKGROUP
Can I have a list of your members now?
Yes, let me get it for you.
Thank you, can I have the keys to the executive washroom?
No, you do not have the priveleges.
ok, can I have the priveleges?
Yes, here you go WORKGROUP member and king of the system.
Now, about that key...

Basically thats how it went. Anyway, I had a hardware firewall/router on a
cable connection and also thought it odd that I got attacked at the very
second I connected... every single time. And how the heck did it get past
the firewall and find me so fast? Well, it was an inside job. there was
something on my system inviting connections from the outside and was
broadcasting ARP to be sure they'd find the party. Also advertising with
WINS and NETBIOS (netbios is a constant advertiser on any network by nature).
Then I noticed the gnarled weave of tunnelling back and forth through my
local ports and them finally escaping through several openings waving at the
incoming traffic to show them the way. Now I've relaxed a bit and think its
normal activity to have all the available protocols enabled behind your back
on a brand new motherboard, case, video card, peripherals, NIC, and the only
old thing was this Windows 2000 Professional CD that never existed before the
release of SP4 or .NET rollout. Yes, Lan Manager is up and running along
with netbios and os/2 requestors? seriously, was that neccessary? And they
don't show up in "services" but they DO show up as modules running happily as
can be with the rest of the virtual devices and "hidden" hardware and 4 extra
NIC's in the hardware devices that I could not believe existed all this time.
<takes deep breath>

Ok, that was therapeutic, thank you.
Anyway, I guess I either need to read up on the perma-changes made or visit
a web page on how to make them trendy aluminum foil hats, cause a lot of this
doesn't make sense but after many many installs on many machines with many
pieces of hardware and a suspected bug that can't be killed, I think I'm
ready to milk cows and give up technology altogether.

Yimmy Da Tulip