!!Windows Is Infected!!

[phil]

i keep getting an error message that pops up in the
background that closes everything i am doing somethiing
has gotten into windows messenger service causeing the
popup on me then it says theres a cure for it and ask me
to go to this site http://www.windows-patch.info/ which i
belive its a fake microsoft site the patch links on the
site ask for money so if anyone knows what this problem
is can you e-mail me

Windows®Patch.info

This Security Fix is compatible with the following
Microsoft® Windows® Systems:


Microsoft Windows XP

Microsoft Windows NT Workstation

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows Server 2003




Microsoft Security Bulletin MS03-043
Buffer Overrun in Messenger Service Could Allow Code
Execution (828035)
Issued: October 22, 2003
Version Number: 1.1

Summary
Who Should Read This Document: Customers using Microsoft®
Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Microsoft® Windows® should install a
patch immediately

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:

Microsoft Windows NT Workstation - Download a fix to
patch this issue
Microsoft Windows NT - Download a fix to patch this issue
Microsoft Windows 2000 - Download a fix to patch this
issue
Microsoft Windows XP - Download a fix to patch this
issue
Microsoft Windows Win98 - Download a fix to patch this
issue
Microsoft Windows Server 2003 - Download a fix to patch
this issue
Non Affected Software:

Microsoft Windows Millennium Edition
The software listed above has been tested to determine if
the versions are affected. Other versions are no longer
supported, and may or may not be affected.

Technical Description:

A security vulnerability exists in the Microsoft®
Messenger Service that could allow arbitrary code
execution on an affected system. The vulnerability
results because the Messenger Service does not properly
validate the length of a message before passing it to the
allocated buffer.

An attacker who successfully exploited this vulnerability
could be able to run code with Local System privileges on
an affected system, or could cause the Messenger Service
to fail. The attacker could then take any action on the
system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full
privileges.

Mitigating factors:

Messages are delivered to the Messenger service via
NetBIOS or RPC. If users have blocked the NetBIOS ports
(ports 137-139) - and UDP broadcast packets using a
firewall, others will not be able to send messages to
them on those ports. Most firewalls, including Internet
Connection Firewall in Windows XP, block NetBIOS by
default.
Disabling the Messenger Service will prevent the
possibility of attack.
On Windows Server 2003 systems, the Messenger Service is
disabled by default.
Severity Rating:



Windows NT Critical
Windows Server NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Moderate



The above assessment is based on the types of systems
affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the
vulnerability would have on them.

 

[Tony Talmage]

I didn't read it all, but the write-up sounds legitimate. It's talking
about a vulnerability in your machine that's allowing the Messenger messages
to pop up. Turn on your ICF, possibly download a third-party firewall like
ZoneAlarm (free), and make sure you get all the critical/security updates
from Windows Update. This should hopefully eliminate these Messenger
adverts and security holes.

I would recommend doing this as quickly as possible, as with your machine
being open as it is, it would be very easy to become infected with MSBlaster
or one of its variants.

--
Tony Talmage
Web Developer
Graphic Education Corporation
URL: http://www.graphiced.com
Phone: (888) 354-6600


i keep getting an error message that pops up in the
background that closes everything i am doing somethiing
has gotten into windows messenger service causeing the
popup on me then it says theres a cure for it and ask me
to go to this site http://www.windows-patch.info/ which i
belive its a fake microsoft site the patch links on the
site ask for money so if anyone knows what this problem
is can you e-mail me

Windows®Patch.info

This Security Fix is compatible with the following
Microsoft® Windows® Systems:


Microsoft Windows XP

Microsoft Windows NT Workstation

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows Server 2003




Microsoft Security Bulletin MS03-043
Buffer Overrun in Messenger Service Could Allow Code
Execution (828035)
Issued: October 22, 2003
Version Number: 1.1

Summary
Who Should Read This Document: Customers using Microsoft®
Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Microsoft® Windows® should install a
patch immediately

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:

Microsoft Windows NT Workstation - Download a fix to
patch this issue
Microsoft Windows NT - Download a fix to patch this issue
Microsoft Windows 2000 - Download a fix to patch this
issue
Microsoft Windows XP - Download a fix to patch this
issue
Microsoft Windows Win98 - Download a fix to patch this
issue
Microsoft Windows Server 2003 - Download a fix to patch
this issue
Non Affected Software:

Microsoft Windows Millennium Edition
The software listed above has been tested to determine if
the versions are affected. Other versions are no longer
supported, and may or may not be affected.

Technical Description:

A security vulnerability exists in the Microsoft®
Messenger Service that could allow arbitrary code
execution on an affected system. The vulnerability
results because the Messenger Service does not properly
validate the length of a message before passing it to the
allocated buffer.

An attacker who successfully exploited this vulnerability
could be able to run code with Local System privileges on
an affected system, or could cause the Messenger Service
to fail. The attacker could then take any action on the
system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full
privileges.

Mitigating factors:

Messages are delivered to the Messenger service via
NetBIOS or RPC. If users have blocked the NetBIOS ports
(ports 137-139) - and UDP broadcast packets using a
firewall, others will not be able to send messages to
them on those ports. Most firewalls, including Internet
Connection Firewall in Windows XP, block NetBIOS by
default.
Disabling the Messenger Service will prevent the
possibility of attack.
On Windows Server 2003 systems, the Messenger Service is
disabled by default.
Severity Rating:



Windows NT Critical
Windows Server NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Moderate



The above assessment is based on the types of systems
affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the
vulnerability would have on them.

 

[Phil \(a.k.a. purplehaz\)]

Secure your hacker prone computer:

If they say messenger service in the title bar, these pop ups have nothing
to do with MSN messenger or Windows messenger. What this is a new way for
spammers to attack your computer and send you pop-up ads. If you receive
these ads it means that your computers netbios ports are wide open to the
internet and this could be a real security problem. What you should do is
install a good firewall that will block the ports the spammers use and stop
the ads. A good place to start is Zone Alarm ( www.zonelabs.com ) for an
inbound/outbound blocking firewall or use the inbound blocking only firewall
built in to XP. If needed configure the firewall to block ports 135, 137-139
and 445. Zone Alarm will block these ports by default.

Use this site to test some of your ports security:
https://grc.com/x/ne.dll?bh0bkyd2

You can/should also disable the messenger service, which is the service the
spammers exploit, but it isn't needed to stop the ads and disabling the
service will not block the open netbios ports.

Note: If the Messenger service is stopped, messages from the Alerter
service (notifications from your antivirus software, for example) are
not transmitted. If the Messenger service is turned off, any services
that explicitly depend on the Messenger service do not start, and an
error message is logged in the System event log. For this reason,
Microsoft recommends that you install a firewall and configure it to
block NetBIOS and RPC traffic instead of turning off the Messenger
service. To turn off the service goto, control panel, administrative tools,
services, find messenger, right click, properties, hit the stop button, set
startup type to manual or disabled. (be sure to stay patched at windows
update as well)

If the pop-ups appear while surfing web pages then download and install one
of the many pop-up blocker programs. Search www.download.com for popup
blocker, you'll find many free ones.

Also get a good spyware cleaner:

Spybot - http://www.safer-networking.org/

Ad-aware - http://www.lavasoft.com

i keep getting an error message that pops up in the
background that closes everything i am doing somethiing
has gotten into windows messenger service causeing the
popup on me then it says theres a cure for it and ask me
to go to this site http://www.windows-patch.info/ which i
belive its a fake microsoft site the patch links on the
site ask for money so if anyone knows what this problem
is can you e-mail me

<snip>

 

[Cerridwen]

I didn't read it all, but the write-up sounds legitimate. It's
talking about a vulnerability in your machine that's allowing the
Messenger messages to pop up. Turn on your ICF, possibly download a
third-party firewall like ZoneAlarm (free), and make sure you get all
the critical/security updates from Windows Update. This should
hopefully eliminate these Messenger adverts and security holes.

I would recommend doing this as quickly as possible, as with your
machine being open as it is, it would be very easy to become infected
with MSBlaster or one of its variants.

OMG!! When someone told you that the word 'gullible' had been removed from
the dictionary, you went to look it up, just to be sure, didn't you?!

When they reprint the dictionary they'll email you for a photo to place next
to the words 'sucker' and 'idiot'.

 

[Malke]

i keep getting an error message that pops up in the
background that closes everything i am doing somethiing
has gotten into windows messenger service causeing the
popup on me then it says theres a cure for it and ask me
to go to this site http://www.windows-patch.info/ which i
belive its a fake microsoft site the patch links on the
site ask for money so if anyone knows what this problem
is can you e-mail me

(much snippage of unnecessary info)

First, to turn off the messenger spam (and this is not Windows Messenger
spam - Windows Messenger is an instant messaging client; the messenger
service is used in large networks) go to Control Panel, Administrative
Tools, Services and scroll down to the messenger service. Double-click
its name which will get you its Properties. Click the button to stop
the service and then use the drop-down box to disable the service. The
second part of the process is to use a firewall. Either turn on the
built-in Windows XP firewall (look in XP's Help & Support for
instructions) or get one of the excellent free firewalls from Zone
Alarm or Sygate.

Now, scan with a current antivirus program (meaning a version not
earlier than 2002 and using updated virus definitions). If you don't
have one, get one immediately. Continue with your computer clean up by
removing spyware with Spybot Search & Destroy from
www.security.kolla.de and Ad-aware from www.lavasoftusa.com. Be sure to
update these programs before running them. These programs are free, so
run them both since they complement each other. It is best to run
antivirus and spyware removal tools in Safe Mode.

HTH,

Malke

 

[Guest]

-----Original Message-----


OMG!! When someone told you that the word 'gullible' had been removed from
the dictionary, you went to look it up, just to be sure, didn't you?!

When they reprint the dictionary they'll email you a photo to place next
to the words 'sucker' and 'idiot'.

Yes, and it will be your photos!

 

[Bruce Chambers]

Greetings --

These messages are _not_ caused by a Trojan or other infection;
they're originating outside the very unsecure PCs. They're from a
very unscrupulous "business." It's a scam, plain and simple. They're
trying to sell you patches that Microsoft provides free-of-charge.
They're also demonstrating that your PC is very unsecure.

Does the title bar of these pop-ups not read "Messenger Service?"

This type of spam has become quite common over the past year or
so, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you most definitely open to other threats, such as the Blaster Worm
that still haunts the Internet. Install and use a decent, properly
configured firewall. (Merely disabling the messenger service, as some
people recommend, only hides the symptom, and does little or nothing
to truly secure your machine.) And ignoring or just "putting up with"
the security gap represented by these messages is particularly
foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure
UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445 are _all_
blocked. You may also disable Inbound NetBIOS (NetBIOS over TCP/IP).
You'll have to follow the instructions from firewall's manufacturer
for the specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


i keep getting an error message that pops up in the
background that closes everything i am doing somethiing
has gotten into windows messenger service causeing the
popup on me then it says theres a cure for it and ask me
to go to this site http://www.windows-patch.info/ which i
belive its a fake microsoft site the patch links on the
site ask for money so if anyone knows what this problem
is can you e-mail me

Windows®Patch.info

This Security Fix is compatible with the following
Microsoft® Windows® Systems:


Microsoft Windows XP

Microsoft Windows NT Workstation

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows Server 2003




Microsoft Security Bulletin MS03-043
Buffer Overrun in Messenger Service Could Allow Code
Execution (828035)
Issued: October 22, 2003
Version Number: 1.1

Summary
Who Should Read This Document: Customers using Microsoft®
Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Microsoft® Windows® should install a
patch immediately

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:

Microsoft Windows NT Workstation - Download a fix to
patch this issue
Microsoft Windows NT - Download a fix to patch this issue
Microsoft Windows 2000 - Download a fix to patch this
issue
Microsoft Windows XP - Download a fix to patch this
issue
Microsoft Windows Win98 - Download a fix to patch this
issue
Microsoft Windows Server 2003 - Download a fix to patch
this issue
Non Affected Software:

Microsoft Windows Millennium Edition
The software listed above has been tested to determine if
the versions are affected. Other versions are no longer
supported, and may or may not be affected.

Technical Description:

A security vulnerability exists in the Microsoft®
Messenger Service that could allow arbitrary code
execution on an affected system. The vulnerability
results because the Messenger Service does not properly
validate the length of a message before passing it to the
allocated buffer.

An attacker who successfully exploited this vulnerability
could be able to run code with Local System privileges on
an affected system, or could cause the Messenger Service
to fail. The attacker could then take any action on the
system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full
privileges.

Mitigating factors:

Messages are delivered to the Messenger service via
NetBIOS or RPC. If users have blocked the NetBIOS ports
(ports 137-139) - and UDP broadcast packets using a
firewall, others will not be able to send messages to
them on those ports. Most firewalls, including Internet
Connection Firewall in Windows XP, block NetBIOS by
default.
Disabling the Messenger Service will prevent the
possibility of attack.
On Windows Server 2003 systems, the Messenger Service is
disabled by default.
Severity Rating:



Windows NT Critical
Windows Server NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Moderate



The above assessment is based on the types of systems
affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the
vulnerability would have on them.

 

[Bruce Chambers]

Greetings --

How can someone asking anyone to _buy_ a patch that Microsoft
provides free-of-charge possibly "sound legitimate?"


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Tony Talmage]

Oh, I definitely didn't mean it like that.. what I meant to say was that the
information about the machine being vulnerable to attack sounded legitimate.
The actual premise of the site and the fact that it was advertised in a
Messenger popup is shady. Don't think I was advocating them or anything =)

--
Tony Talmage
Web Developer
Graphic Education Corporation
URL: http://www.graphiced.com
Phone: (888) 354-6600

 

[Bruce Chambers]

Greetings --

Malke, with respect, I'd suggest that enabling the firewall should
be the _first_ step taken. Then, if the OP likes, the messenger
service can then be disabled. Protecting the PC from intrusions and
exploits such as Blaster seems, at least to me, much more important
than simply turning off annoying but harmless advertising.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Tony Talmage]

I was a little ambiguous in my statement; what I meant to say was that the
information about the machine being vulnerable to attack sounded legitimate,
not the actual website itself. Notice how my entire message was about
increasing security, as in enabling the built-in firewall, getting a
third-party firewall, and downloading/installing updates from the *Windows
Update* site. I never said to use these folks sending the advert. Attack
someone when they deserve it, not when you read the first 10 words of a post
and assume the rest.

--
Tony Talmage
Web Developer
Graphic Education Corporation
URL: http://www.graphiced.com
Phone: (888) 354-6600

 

[Bruce Chambers]

Greetings --

Ah.... My mistake.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[John Q. Crapper]

-----Original Message-----


OMG!! When someone told you that the word 'gullible' had been removed from
the dictionary, you went to look it up, just to be sure, didn't you?!

When they reprint the dictionary they'll email you for a photo to place next
to the words 'sucker' and 'idiot'.

My company is interested in buying your foul mouth! We
think it could create some wonderfully colorful marketing
slogans to sell out our all of our lines of J Q Crapper
facility appliances.

 

[Malke]

Greetings --

Malke, with respect, I'd suggest that enabling the firewall should
be the _first_ step taken. Then, if the OP likes, the messenger
service can then be disabled. Protecting the PC from intrusions and
exploits such as Blaster seems, at least to me, much more important
than simply turning off annoying but harmless advertising.

Good point, Bruce. After all, if they have the firewall enabled that
will stop the bad stuff so they can do whatever repair and/or actions
necessary. I'll switch my answer around. Thanks again for catching
that.

Malke

 

[Bruce Chambers]

Greetings --

You're welcome.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH