News for 2003
Go to News for 2005
Nov 24, 2003 - No news is good news
Things have been pretty quiet. This Blank Page on the Internet, allows for a place to quietly meditate.
Nov 19, 2003 - High Speed Internet for Bakersfield and Enosburg Falls.
Bakersfield, which is slightly out of DSL range (Verison comes from East Fairfield), now has an option for Highspeed Internet via cable, from North Country Cable. Price is ok, speed lots better than dial-up, but less than big-city cable offerings. I haven't talked to their tech much about what's behind the scenes, but he did say that they were surprised by it's popularity. Maybe they will have the income and demand to expand their uplink and increase speed.
Nov 19, 2003 - Buffer Overflow in Workstation service.
XP Patch for MS03-49 (KB828749) [Patch was included in XP patch MS03-43 (KB828035)]
Win2000 Patch for MS03-49 (KB828749)
Nov 14, 2003 - Buffer overflow in Windows Messenger Service
Win2000 Patch for MS03-43 (KB828035)
Oct 22, 2003 - Security Bulletin MS03-044
Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) (XP Patch) (Windows 200 Patch)
Welchia and Blaster still top risks
Sept 30, 2003 - the Welchia and (MS)Blaster viruses are still the top dangers to unpatched systems. If you have not patched these yet, the patch links in the Sept 15th entry from MS will get you safe.
Password Stealing Virus (Trojan)
Sept 29, 2003 - Email attachment must be run, then will pop up an error screen (it produced the error) and will attempt to grab your email login and password. Norton detects this, but doesn't repair yet. The site says the update has included this since 10/1/2003. It's a nasty, but requires you to manually run it from email to become active -- so, everone together now, NEVER CLICK ON AN ATTACHMENT YOU ARE NOT EXPECTING. It will copy itself as one or more of (C:\Windows\Winhe1p.exe, C:\Program Files\Windows.exe, C:\Winnt\System\Command.exe) and will rewrite system registry to point to these files. DO NOT just erase these files without running a cleaning tool ... your system will stop working.
No new Worm ... Yet
Sept 15, 2003 - In a surprise move, Microsoft has found a related security problem to the one which gave rise to the MS blaster and the Welchia worm from last month. Read more on MS's webpage Security Bulletin MS03-039. There are links on the page for the patch needed, or you can follow these: Windows 2000 or Windows XP or you can use Windows Update.
There are no worms found yet using this variant, but given the success of the others, I'm expecting one any day.
Closest Approach to Mars in 60,000 years!
Aug 28th, 2003 - Click here to read the article at space.com and see the great pictures Hubble took on August 27th.
Mid August a bad time for Windows users.
Aug 21st, 2003 - Three new Worms to look out for:
- Blaster (aka MSBlaster, Lovsan, Lovesan and Poza)
This Worm infects Windows 2000 and Windowss XP machines, it enteres via TCP port 135 and adds itself as msblaster.exe in the windows system folder "system32"
Payload is triggered from the 16th to the end of each month.
The usual effect of infection from this worm is your system rebooting every few minutes. A non-obvious danger is that a hidden command shell allows remote access to your system.
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
If your Norton AV version is 50811s or 8/11/2003 or later, you are protected from new infections from the worm.
Microsoft patchs to resolve this vunerability are also available:
Windows 2000
Windows XP
For more info from Microsoft about this RPC issue, go here.
- Welchia (aka Nachi, Lovsan.D and Worm_MSBlast.D)
This Worm uses the same port and method as the Blaster Worm above, and will also access Win 2000 systems of port 80 (webDav)
Payload is not date dependent. Will delete msblast.exe from above worm, causes many Win2000 systems to become unstable. Installs TFTP server on infected machines compromising system security.
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
If your Norton AV version is dated 8/19/2003 or later, you are protected from new infections from the worm.
Microsoft patchs to resolve this vunerability are also available for Port 80: (For TCP port 135, see above)
Windows 2000
Windows XP
For more info from Microsoft about this WebDav issue, go here.
- Sobig.F
This Worm is a hybrid, spreads like a virus and runs on the infected computer like a worm. It requires email and human interaction to infect your system.
It will continue to operate until September 10th. It's Payload is to mass-mail itself to anyone it finds in your mailing lists (scans files ending in .wab, .dbx, .htm, .html, .eml, and .txt) and spoofs the "From" adress using another randomly choosen address from this list.
The Subject line of the email wil be one of: "Re: Details", "Re: Approved", "Re: Re: My Details", "Re: Thank You!", "Re: That movie", "Re: Wicked screensaver", "Re: Your application", "Thank You!" or "Your details"
The Body of the message will be either: "See the attached files for details." or "Please see the attached files for details."
It will one of the following attachments: "your_document.pif", "document_all.pif", "thank_you.pif", "your_details.pif", "details.pif", "document_9446.pif", "application.pif", "wicked_scr.scr" or "movie0045.pif"
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
If your Norton AV version is dated 8/19/2003 or later, you are protected from new infections from the worm.
Since this worm requires the computer operator to infect the system, there is not a patch from Microsoft. As always the rule is to never open an attachment from someone if you aren't expecting one, and keep your virus definitions up to date.
This Worm infects Windows 2000 and Windowss XP machines, it enteres via TCP port 135 and adds itself as msblaster.exe in the windows system folder "system32"
Payload is triggered from the 16th to the end of each month.
The usual effect of infection from this worm is your system rebooting every few minutes. A non-obvious danger is that a hidden command shell allows remote access to your system.
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
If your Norton AV version is 50811s or 8/11/2003 or later, you are protected from new infections from the worm.
Microsoft patchs to resolve this vunerability are also available: Windows 2000 Windows XP
For more info from Microsoft about this RPC issue, go here.
This Worm uses the same port and method as the Blaster Worm above, and will also access Win 2000 systems of port 80 (webDav)
Payload is not date dependent. Will delete msblast.exe from above worm, causes many Win2000 systems to become unstable. Installs TFTP server on infected machines compromising system security.
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
If your Norton AV version is dated 8/19/2003 or later, you are protected from new infections from the worm.
Microsoft patchs to resolve this vunerability are also available for Port 80: (For TCP port 135, see above) Windows 2000 Windows XP
For more info from Microsoft about this WebDav issue, go here.
This Worm is a hybrid, spreads like a virus and runs on the infected computer like a worm. It requires email and human interaction to infect your system. It will continue to operate until September 10th. It's Payload is to mass-mail itself to anyone it finds in your mailing lists (scans files ending in .wab, .dbx, .htm, .html, .eml, and .txt) and spoofs the "From" adress using another randomly choosen address from this list.
The Subject line of the email wil be one of: "Re: Details", "Re: Approved", "Re: Re: My Details", "Re: Thank You!", "Re: That movie", "Re: Wicked screensaver", "Re: Your application", "Thank You!" or "Your details"
The Body of the message will be either: "See the attached files for details." or "Please see the attached files for details."
It will one of the following attachments: "your_document.pif", "document_all.pif", "thank_you.pif", "your_details.pif", "details.pif", "document_9446.pif", "application.pif", "wicked_scr.scr" or "movie0045.pif"
Symantec (Norton AV) has a removal tool at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
If your Norton AV version is dated 8/19/2003 or later, you are protected from new infections from the worm.
Since this worm requires the computer operator to infect the system, there is not a patch from Microsoft. As always the rule is to never open an attachment from someone if you aren't expecting one, and keep your virus definitions up to date.