|
|
Post by StRiDeR on Mar 19, 2004 13:05:41 GMT 8
W32/Agobot-FG
Aliases
Backdoor.Agobot.3.gen
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Agobot-FG is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-FG tries to copy itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level priviledges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-FG copies itself to the Windows system folder as EXPLORED.EXE and creates entries in the registry at the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
On NT-based versions of Windows W32/Agobot-FG tries to create a system service called "mpr" which it sets to run on system startup, creating registry entries in the following locations:
HKLM\System\CurrentControlSet\Services\MPR
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MPR
W32/Agobot-FG attempts to terminate the following virus, anti-virus and security-related processes.
tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
zonealarm.EXE
zapro.EXE
vsmon.EXE
vshwin32.EXE
vbcmserv.EXE
sbserv.EXE
rtvscan.EXE
rapapp.EXE
pcscan.EXE
pccwin97.EXE
pccntmon.EXE
pavproxy.EXE
nvsvc32.EXE
ntrtscan.EXE
npscheck.EXE
notstart.EXE
lockdown2000.EXE
iamserv.EXE
iamapp.EXE
gbpoll.EXE
gbmenu.EXE
fsmb32.EXE
fsma32.EXE
fsm32.EXE
fsgk32.EXE
fsav32.EXE
fsaa.EXE
fnrb32.EXE
fih32.EXE
fch32.EXE
fameh32.EXE
f-stopw.EXE
defscangui.EXE
defalert.EXE
cpd.EXE
cleaner3.EXE
cleaner.EXE
ccPxySvc.EXE
ccEvtMgr.EXE
ccApp.EXE
blackd.EXE
avpm.EXE
avkwctl9.EXE
avkservice.EXE
avkpop.EXE
apvxdwin.EXE
agentw.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZAUINST.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WrCtrl.EXE
WrAdmin.EXE
WYVERNWORKSFIREWALL.EXE
WSBGATE.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WINRECON.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WGFE95.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VetTray.EXE
Vet95.EXE
VbCons.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSECOMR.EXE
VSCHED.EXE
VSCENU6.02D30.EXE
VSCAN40.EXE
VPTRAY.EXE
VPFW30S.EXE
VPC42.EXE
VPC32.EXE
VNPC3000.EXE
VNLAN300.EXE
VIRUSMDPERSONALFIREWALL.EXE
VIR-HELP.EXE
VFSETUP.EXE
VETTRAY.EXE
VET95.EXE
VET32.EXE
VCSETUP.EXE
VBWINNTW.EXE
VBWIN9X.EXE
VBUST.EXE
VBCONS.EXE
VBCMSERV.EXE
UPDATE.EXE
UNDOBOOT.EXE
TROJANTRAP3.EXE
TRJSETUP.EXE
TRJSCAN.EXE
TRACERT.EXE
TITANINXP.EXE
TITANIN.EXE
TGBOB.EXE
TFAK5.EXE
TFAK.EXE
TDS2-NT.EXE
TDS2-98.EXE
TDS-3.EXE
TCM.EXE
TCA.EXE
TC.EXE
TBSCAN.EXE
TAUMON.EXE
TASKMON.EXE
SymProxySvc.EXE
SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
Sphinx.EXE
SYSEDIT.EXE
SYMTRAY.EXE
SYMPROXYSVC.EXE
SWEEP95.EXE
SUPPORTER5.EXE
SUPFTRL.EXE
ST2.EXE
SS3EDIT.EXE
SPYXX.EXE
SPHINX.EXE
SPF.EXE
SOFI.EXE
SMC.EXE
SHN.EXE
SHELLSPYINSTALL.EXE
SH.EXE
SGSSFW32.EXE
SFC.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SERV95.EXE
SD.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SBSERV.EXE
SAFEWEB.EXE
RULAUNCH.EXE
RTVSCN95.EXE
RSHELL.EXE
RRGUARD.EXE
RESCUE32.EXE
RESCUE.EXE
REGEDT32.EXE
REGEDIT.EXE
REALMON.EXE
RAV8WIN32ENG.EXE
RAV7WIN.EXE
RAV7.EXE
QSERVER.EXE
QCONSOLE.EXE
PVIEW95.EXE
PURGE.EXE
PSPF.EXE
PROTECTX.EXE
PROPORT.EXE
PROGRAMAUDITOR.EXE
PROCEXPLORERV1.0.EXE
PROCESSMONITOR.EXE
PPVSTOP.EXE
PPTBC.EXE
PPINUPDT.EXE
PORTMONITOR.EXE
PORTDETECTIVE.EXE
POPSCAN.EXE
POPROXY.EXE
POP3TRAP.EXE
PLATIN.EXE
PINGSCAN.EXE
PFWADMIN.EXE
PF2.EXE
PERSWF.EXE
PERSFW.EXE
PERISCOPE.EXE
PDSETUP.EXE
PCIP10117_0.EXE
PCFWALLICON.EXE
PCDSETUP.EXE
PCCWIN98.EXE
PCCIOMON.EXE
PCC2K_76_1436.EXE
PCC2002S902.EXE
PAVW.EXE
PAVSCHED.EXE
PAVPROXY.EXE
PAVCL.EXE
PANIXK.EXE
PADMIN.EXE
OUTPOSTPROINSTALL.EXE
OUTPOSTINSTALL.EXE
OUTPOST.EXE
OSTRONET.EXE
Nupgrade.EXE
Nui.EXE
NeoWatchLog.EXE
Navw32.EXE
NWTOOL16.EXE
NWService.EXE
NWINST4.EXE
NVC95.EXE
NVARCH16.EXE
NTXconfig.EXE
NTVDM.EXE
NSCHED32.EXE
NPSSVC.EXE
NPROTECT.EXE
NPFMESSENGER.EXE
NPF40_TW_98_NT_ME_2K.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NORMIST.EXE
NOD32.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE
NETUTILS.EXE
NETSTAT.EXE
NETSPYHUNTER-1.2.EXE
NETSCANPRO.EXE
NETMON.EXE
NETINFO.EXE
NETARMOR.EXE
NEOMONITOR.EXE
NDD32.EXE
NCINST4.EXE
NC2000.EXE
NAVWNT.EXE
NAVW32.EXE
NAVSTUB.EXE
NAVNT.EXE
NAVLU32.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVDX.EXE
NAVAPW32.EXE
NAVAPSVC.EXE
NAVAP.navapsvc.EXE
NAV Auto-Protect.NAV80TRY.EXE
N32SCANW.EXE
Monitor.EXE
Mcshield.EXE
MWATCH.EXE
MU0311AD.EXE
MSSMMC32.EXE
MSINFO32.EXE
MSCONFIG.EXE
MRFLUX.EXE
MPFTRAY.EXE
MPFSERVICE.EXE
MPFAGENT.EXE
MOOLIVE.EXE
MONITOR.EXE
MINILOG.EXE
MGUI.EXE
MGHTML.EXE
MGAVRTE.EXE
MGAVRTCL.EXE
MFWENG3.02D30.EXE
MFW2EN.EXE
MCVSSHLD.EXE
MCVSRTE.EXE
MCUPDATE.EXE
MCTOOL.EXE
MCMNHDLR.EXE
MCAGENT.EXE
LUSPT.EXE
LUINIT.EXE
LUCOMSERVER.EXE
LUAU.EXE
LUALL.EXE
LSETUP.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
LOCKDOWN.EXE
LOCALNET.EXE
LDSCAN.EXE
LDPROMENU.EXE
LDPRO.EXE
LDNETMON.EXE
KILLPROCESSSETUP161.EXE
KERIO-WRP-421-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-PF-213-EN-WIN.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
JEDI.EXE
JAMMER.EXE
ISRV95.EXE
IRIS.EXE
IPARMOR.EXE
IOMON98.EXE
IFW2000.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSTATS.EXE
IAMSERV.EXE
IAMAPP.EXE
HWPE.EXE
HTLOG.EXE
HACKTRACERSETUP.EXE
GUARDDOG.EXE
GUARD.EXE
GENERICS.EXE
GBPOLL.EXE
GBMENU.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV530STBYB.EXE
FSAV.EXE
FRW.EXE
FPROT.EXE
FP-WIN_TRIAL.EXE
FP-WIN.EXE
FLOWPROTECTOR.EXE
FIREWALL.EXE
FINDVIRU.EXE
FAST.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPERT.EXE
EXE.AVXW.EXE
EXANTIVIRUS-CNET.EXE
EVPN.EXE
ETRUSTCIPE.EXE
ESPWATCH.EXE
ESCANV95.EXE
ESCANHNT.EXE
ESCANH95.EXE
ESAFE.EXE
ENT.EXE
EFPEADM.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
DRWEB32.EXE
DRWATSON.EXE
DPFSETUP.EXE
DPF.EXE
DOORS.EXE
DEPUTY.EXE
DEFWATCH.EXE
Claw95cf.EXE
Claw95.EXE
CWNTDWMO.EXE
CWNB181.EXE
CV.EXE
CTRL.EXE
CPFNT206.EXE
CPF9X206.EXE
CPD.EXE
CONNECTIONMONITOR.EXE
CMON016.EXE
CMGRDIAN.EXE
CLEANPC.EXE
CLEANER3.EXE
CLEANER.EXE
CLEAN.EXE
CLAW95CF.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
CFGWIZ.EXE
CDP.EXE
BlackICE.EXE
BS120.EXE
BORG2.EXE
BOOTWARN.EXE
BLACKICE.EXE
BLACKD.EXE
BISP.EXE
BIPCPEVALSETUP.EXE
BIPCP.EXE
BIDSERVER.EXE
BIDEF.EXE
BD_PROFESSIONAL.EXE
Avsched32.EXE
AvkServ.EXE
Avgctrl.EXE
AvgServ.EXE
AvSynMgr.AVSYNMGR.EXE
AutoTrace.EXE
AckWin32.EXE
AVXQUAR.EXE
AVXMONITORNT.EXE
AVXMONITOR9X.EXE
AVWUPSRV.EXE
AVWUPD32.EXE
AVWINNT.EXE
AVWIN95.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVGW.EXE
AVGUARD.EXE
AVGSERV9.EXE
AVGSERV.EXE
AVGNT.EXE
AVGCTRL.EXE
AVGCC32.EXE
AVE32.EXE
AVCONSOL.EXE
AUTOUPDATE.EXE
AUTODOWN.EXE
AUPDATE.EXE
ATWATCH.EXE
ATUPDATER.EXE
ATRO55EN.EXE
ATGUARD.EXE
ATCON.EXE
APVXDWIN.EXE
APLICA32.EXE
APIMONITOR.EXE
ANTS.EXE
ANTIVIRUS.EXE
ANTI-TROJAN.EXE
AMON9X.EXE
ALOGSERV.EXE
ALERTSVC.EXE
AGENTSVR.EXE
ADVXDWIN.EXE
ACKWIN32.EXE
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Mar 21, 2004 0:17:59 GMT 8
WORM_LOVGATE.G
Virus type: Worm
Destructive: No
Pattern file needed: 497
Scan engine needed: 5.200
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
This memory-resident worm is a slightly modified variant of WORM_LOVGATE.F. The only difference between this variant and the earlier .F variant is the name of the event that both create to indicate memory-residency.
This memory-resident worm propagates through network shares by dropping copies of itself to shared folders with read/write access. The files that it drops can have any of the following file names:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
This worm also propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. The email message has the following characteristics:
From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message body:
''’<Infected User’s Name>’ wrote:
====
><Original Body>
>
====
<Original Sender’s SMTP account> account auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Original Sender’s SMTP account> account now! <
Attachment: (Randomly selected from any of the following)
I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
This worm also gathers target email addresses from HTML files that it finds in the current, Windows, and My Documents folders and sends an email message with itself as attachment to all the said email addresses. The email message it sends out may be any of the following:
Subject: Reply to this!
Message Body: For further assistance, please contact!
Attachment: About_Me.txt.pif
Subject: Let's Laugh
Message Body: Copy of your message, including all the headers is attached.
Attachment: driver.exe
Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: Doom3 Preview!!!.exe
Subject: for you
Message Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Attachment: enjoy.exe
Subject: Great
Message Body: Send reply if you want to be official beta tester.
Attachment: YOU_are_FAT!.TXT.pif
Subject: Help
Message Body: This message was created automatically by mail delivery software (Exim).
Attachment: Source.exe
Subject: Attached one Gift for u..
Message Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Attachment: Interesting.exe
Subject: Hi
Message Body: Adult content!!! Use with parental advisory.
Attachment: README.TXT.pif
Subject: Hi Dear
Message Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment: images.pif
Subject: See the attachement
Message Body: Send me your comments...
Attachment: Pics.ZIP.scr
The worm also has backdoor functions, opening ports, obtaining information about the system, and enabling the remote user to execute commands on the compromised system.
This Aspack-compressed worm runs on Windows NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_LOVGATE.G.
Trend Micro customers must download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. If the process name is not known, you will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select the file, then press either the End Task or the End Process button (depending on the version of Windows on your system).
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
(Terminating an instance of the malware will also launch an instance of IEXPLORE.EXE. Terminate all other instances first before terminating IEXPLORE.EXE.)
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the following entries:
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = "C:\WINNT\System32\WinGate.exe -remoteshell"
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
In the right panel, locate and delete the following entry:
Run = ”RAVMOND.EXE”
Addressing Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to run an .TXT file. The following procedures should restore the registry to its original settings.
Still in Registry Editor, in the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its data (in the rightmost column) is the path and file name of the malware file:
"winrpc.exe %1"
If the data is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value: %SysDir%\NOTEPAD.EXE %1
Click OK.
Close Registry Editor.
Removing Autostart Entries from System Files
Malware autostart entries in system files must be removed before the system can be restarted safely.
Open WIN.INI. To do this, click Start>Run, type WIN.INI, then press Enter.
Under the [windows] section, locate and delete the file name of the malware file, RAVMOND.EXE, from the following line:
Run=%System%RAVMOND.exe
*Where %System% is the Windows system folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)
Close WIN.INI and click Yes when prompted to save.
NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.
Disabling Malware Service For Windows NT, 2000, and XP
Restart your machine to terminate the malware service. Next, remove the malware service from the registry.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Windows Management Instrumentation Driver Extension
Right click "Windows Management Instrumentation Driver Extension" and select "Delete".
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>NetMeeting Remote Desktop (RPC) Sharing
Right click "NetMeeting Remote Desktop (RPC) Sharing" and select "Delete".
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Microsoft NetWork FireWall Services
Right click "Microsoft NetWork FireWall Services" and select "Delete".
Close Registry Editor.
|
|
|
|
Post by StRiDeR on Mar 23, 2004 23:21:08 GMT 8
W32/Sdbot-GR
Aliases
Backdoor.IRCBot.gen, W32/Sdbot.worm.gen
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Sdbot-GR is a backdoor Trojan and network-aware worm which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
W32/Sdbot-GR copies itself to the Windows system folder as wintask.exe and creates the following registry entries so that the Trojan is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
W32/Sdbot-GR remains resident, listening for commands from remote users. If the appropriate commands are received the worm will begin scanning the internet for network shares with weak administrator passwords and will attempt to copy itself to these shares.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
and delete them if they exist.
Each user has a registry area named HKEY_USERS\\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\winlog
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\winlog
and delete them if they exist.
Close the registry editor and reboot your computer.
[/b]
|
|
|
|
Post by atokENSEM on Mar 25, 2004 11:46:37 GMT 8
skrg ni,on je internet..confirm kena virus...
|
|
|
|
Post by StRiDeR on Mar 25, 2004 23:07:03 GMT 8
skrg ni,on je internet..confirm kena virus... tue nama dia...worm  |
|
|
|
Post by atokENSEM on Mar 26, 2004 16:02:46 GMT 8
tue nama dia...worm ya..betul tu... |
|
|
|
Post by StRiDeR on Mar 26, 2004 16:28:18 GMT 8
W32/Lovgate-X
Aliases
I-Worm.LovGate.q, Win32/Lovgate.X, WORM_LOVGATE.Q
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Lovgate-X is a worm with the backdoor functionality that spreads via email, network shares with weak passwords and filesharing networks.
W32/Lovgate-X may arrive in the email with the following characteristics:
Subject line: chosen from -
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text: chosen from -
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
Attachment name: chosen from -
document
readme
doc
text
file
data
test
message
body
followed by .bat, .cmd, .exe, .pif or .scr
When executed W32/Lovgate-X creates the service "NetMeeting Remote Sharing," copies itself to the Windows folder with the filename Systra.exe and to the Windows system folder with the filenames iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.
W32/Lovgate-X extracts the backdoor components to the Windows system folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as W32/Lovgate-W).
In order to run automatically when Windows starts up W32/Lovgate-X creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra
= C:\WINDOWS\SysTra.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program In Windows
= "C:\\WINDOWS\\System32\\IEXPLORE.EXE"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected Storage
= "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\SystemTra
= "C:\\WINDOWS\\SysTra.EXE"
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
= "RAVMOND.exe"
HKCR\exefile\shell\open\command
= C:\WINDOWS\System\winexe.exe
W32/Lovgate-X may change the win.ini file by adding path to the Ravmond.exe to the 'run=' line.
W32/Lovgate-X attempts to terminate a number of processes with names that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
W32/Lovgate-X copies itself to the share folders of filesharing networks with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
W32/Lovgate-X copies itself to the share folder of the KaZaa network with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
<any name>
follwed by .bat, .exe, .pif or .scr
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Mar 30, 2004 15:34:05 GMT 8
30 March 2004 W32/Netsky-P Aliases Win32/Netsky.Q, WORM_NETSKY.P Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. Sophos has received many reports of this worm from the wild. Note: Sophos has been detecting W32/Netsky-P since 02:29 GMT on 22 March 2004 and has issued this updated IDE to enhance detection. Description NOTE: The information contained in this analysis may be considered offensive by some customers.
W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.
The worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
= <Windows>\FVProtect.exe
W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.
The worm has a trigger date of 24th of March 2004, at which time it will attempt to mass mail.
Emails have the following characteristics (note that not all variations listed):
Subject lines: constructed from the following groups of strings -
Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Message texts: chosen from -
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.
Attachment description: chosen from -
Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.
followed by -
<attached filename>:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
Attached file:
<filename>_ <recipient_name>.<extension>
<filename> chosen from:
document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document
<extension> chosen from:
EXE
SCR
PIF
ZIP
W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.
W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.
Recovery Please follow the instructions for removing W32/Netsky-P. |
|
|
|
Post by atokENSEM on Mar 31, 2004 1:34:38 GMT 8
ni yg terbaru kan?
|
|
|
|
Post by StRiDeR on Mar 31, 2004 4:14:31 GMT 8
yup...yg terbaru |
|
|
|
Post by StRiDeR on Apr 1, 2004 1:14:34 GMT 8
W32/Nachi-E Aliases Worm.Win32.Welchia.e, W32/Nachi.worm.e, W32.Welchia.D Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Nachi-E is a worm which spreads to computers at random IP addresses that are infected with W32/MyDoom-A or are vulnerable to the following Microsoft
buffer overflow vulnerabilities: DCOM RPC, WebDAV, IIS5/WEBDAV and Locator
Service.
For further information see Microsoft Security Bulletins MS03-026, MS03-007 and MS03-049.
The worm connects to random IP addresses on port 135 or 445 and exploits these
buffer-overflow vulnerabilities to execute a small amount code on computersthat have not been patched. The buffer overflow code downloads the worm and runs it. The worm allows itself to be downloaded via a random port above 1024.
The worm spreads to computers at random IP addresses that are infected with
W32/MyDoom-A via a backdoor component installed by W32/MyDoom-A, that provides access on port 3127.
When first run the worm copies itself to <system>\drivers\svchost.exe and
creates a new service named WksPatch with the Startup Type set to Automatic, so that the service is run automatically each time Windows is started.
The display name of the new service is created by randomly combining one word
from each of the following 3 lists:
"System", "Security", "Remote", "Routing", "Performance", "Network", "License"
or "Internet"
"logging", "Manager", "Procedure", "Accounts" or "Event"
"provider", "sharing", "Messaging" or "Client"
For example: "System logging provider".
The service description is taken from either the Browser service or the MSDTC
service by the worm. The worm tries to disable selected known malware by deleting files in the Windows System folder named intrenat.exe, Regedit.exe, shimgapi.dll, cftmon.dll, Explorer.exe or TaskMon.exe and by deleting the following registry entries (if they exist):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nerocheck
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shimgapi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
The worm deletes a service named RpcPatch (if it exists) and creates the
following registry entry if it doesn't already exist:
HKCR\CLSID(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32
= "%SystemRoot%\System32\webcheck.dll"
If the above registry entry was not already set, the worm creates a new 'clean'
version of the HOSTS file located at <system>\drivers\etc\hosts. The new HOSTS file simply contains an entry for localhost set to the loopback address of
127.0.0.1.
W32/Nachi-E attempts to deface a website by replacing all files carrying the
extensions ASP, HTM, HTML, PHP, CGI, STM, SHTM and SHTML found in the root and help folders of a Microsoft IIS installation with an HTML page containing
the string 'LET HISTORY TELL FUTURE!'.
The worm may also try to download and install the following service packs
Windows 2000 and for Windows XP, if they haven't already been installed:
download.microsoft.com/download/4/d/3/
4d375d48-04c7-411f-959b-3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe
download.microsoft.com/download/a/4/3/
a43ea017-9abd-4d28-a736-2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe
download.microsoft.com/download/e/a/e/
eaea4109-0870-4dd3-88e0-a34035dc181a/WindowsXP-KB828035-x86-ENU.exe
download.microsoft.com/download/9/c/5/
9c579720-63e9-478a-bdcb-70087ccad56c/Windows2000-KB828749-x86-CHS.exe
download.microsoft.com/download/0/8/4/
084be8b7-e000-4847-979c-c26de0929513/Windows2000-KB828749-x86-KOR.exe
download.microsoft.com/download/3/c/6/
3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe
When the worm is run after July 2004 it will remove itself from the computer.
Recovery Please follow the instructions for removing worms. |
|
|
|
Post by StRiDeR on Apr 1, 2004 1:21:04 GMT 8
Troj/Rybot-A
Aliases
Backdoor.Rybot
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/Rybot-A is a backdoor Trojan that allows an attacker remote access to the computer via the IRC network.
In order to run automatically when Windows starts up the Trojan copies itself to a user configurable filename and adds a registry run entry below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The Trojan also drops the files rplib.dll and rtm.dat in the Windows system folder.
Troj/Rybot-A has the ability to log keystrokes and to send the logged data to a configurable FTP server.
Recovery
Please follow the instructions for removing Trojans
|
|
|
|
Post by StRiDeR on Apr 1, 2004 15:31:16 GMT 8
Microsoft Progress Report: Security
---------------------------------------------
Malicious software code has been around for decades. But only in the last few years have the Internet, high-speed connections and millions of new computing devices converged to create a truly global computing network in which a virus or worm can circle the world in a matter of minutes.
Meanwhile, criminal hackers have become more sophisticated, creating and distributing digital epidemics like Slammer, Blaster, Sobig and Mydoom that spread almost instantaneously, threatening the potential of technology to advance business productivity, commerce and communication.
The kinds of threats are evolving too. Blaster, for example, hijacked individual computers, turning innocent users into unknowing and innocent worm propagators. These kinds of attacks – "swarming" attacks that are coordinated to cause multiplied, cascading effects – change the landscape of security threats. They put new demands on IT professionals and consumers to take preventative measures, and on the technology industry to continue to innovate and develop new solutions.
While there are considerable challenges ahead, Microsoft and our industry are making significant progress on the security front. I'd like to offer some insights into Microsoft's significant investments in four areas of security:
*Isolation and Resiliency
*Updating
*Quality
*Authentication and Access Control
Additionally, we are committed to major investments in customer education and partnerships that will help make the computing environment safer and more secure.
Given human nature, evolving threat models and the increasing interconnectedness of computers, the number of security exploits will never reach zero. But we can dramatically blunt the impact of cybercriminals, and are dedicating a major portion of our R&D investments to security advances.
Isolation and Resiliency
Central to our security efforts is preventing malicious code from being able to exploit a vulnerability by isolating such code, providing more effective control over what computer processes can talk to or work with, and making systems more resilient so they are able to identify and stop suspicious or bad behavior in its tracks.
Windows XP Service Pack 2: We are working on a number of isolation and resiliency advances that address four specific modes of attack in our flagship client operating system. These will be available in late spring/early summer.
*Network Protection: Windows Firewall will be turned on by default, and global firewall settings and central administration of firewall configuration will be enabled. This reduces the "attack surface" of PCs and networks.
Safer Web Browsing: To reduce the impact of malicious code and Web sites that can damage computers or defraud users, Internet Explorer will automatically block unsolicited downloads from Web sites as well as block unwanted pop-ups unless a user clicks on a download link. IT administrators will also be able to manage this capability to enforce a consistent policy across their organizations. In addition, wireless setup will be improved for more secure browsing on wireless home networks.
*Safer Email and Instant Messaging: To reduce the risk of attacks, we are building better file attachment handling in Outlook Express and Windows Messenger instant messaging, and offering increased customer control over downloads of external content in Outlook Express that could enable a sender to identify your computer.
*Memory Protection: Malicious software designed to exploit buffer overruns can allow too much data to be copied into areas of the computer's memory. Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of security technologies to mitigate these attacks. First, core Windows components have been recompiled with the most recent version of our compiler technology to protect against stack and heap overruns. Microsoft is also working with microprocessor companies, including Intel and AMD, to help Windows support hardware-enforced data execute protection (also known as NX, or no execute). NX uses the CPU to mark all memory locations in an application as non-executable unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, it cannot be run.
Windows Server 2003: In an environment in which every computer can be seen as living in a "hostile world," our work on Windows Server 2003 has focused on how to help reduce, mitigate or contain threats. We plan to ship security advances in Windows Server 2003 Service Pack 1 in the second half of 2004 that will include the server-relevant security technologies found in Windows XP SP2. To improve the isolation capabilities, the Windows Firewall will be enabled during setup on new server installs so that the server is more protected from potential network-based exploits during configuration. A security configuration wizard will also be included so that once server roles (such as file server, app server, etc.) are enabled, they can be further locked down based on the specific usage model for that role.
Internet Security and Acceleration Server 2004: Security advances in Internet Security and Acceleration Server 2004 include much deeper content inspection, which will enable customers to better protect their Microsoft applications and fortify remote VPN connections. An enhanced user interface and management tools will make it easier for customers to implement and manage security policies, reducing the potential for misconfiguration – a common cause of network breaches.
Exchange Edge Services: This new technology addresses the evolving security problems associated with Internet email. Exchange Edge Services is designed to block incoming or outgoing malicious email and junk mail, defend against email server attacks and email-borne viruses, and encrypt messages to optimize for security. It is also designed to provide a foundation on which third-party developers can build technologies such as next-generation email filters, email encryption products and email compliance solutions.
Active protection technologies: Making computers even more resilient in the presence of increasingly sophisticated worms and viruses is key in preventing and containing attacks. To this end, Microsoft is investing in the development of an integrated set of protection technologies that include:
*Dynamic system protection that proactively adjusts defenses on each computer based on changes in its "state." For example, installing new software, making a configuration change, the need for a new update, or connecting to different networks can make a computer more vulnerable. Dynamic system protection detects these changes and adjusts the level of protection accordingly. Today, customers benefit from Automatic Update in Windows, which detects when a computer requires a new security update. In the future, Microsoft envisions computers not only being able to detect changes, but proactively responding to them too. For example, a laptop moving from a corporate network to a home cable modem or DSL connection could cause the integrated firewall to close more ports for additional protection.
*Behavior blocking that limits the ability of a computer infected with a worm or virus to cause further damage, by intercepting suspicious behavior, determining if it is out of the ordinary, and stopping it if it is. For example, the Blaster worm exploited a vulnerability that caused Windows to replicate the worm to other computers. Behavior blocking would contain this attack.
*Application-aware firewall and intrusion prevention that is designed to identify malicious traffic and block it. Traditional firewalls can be bypassed by worms and viruses embedded in what appears to be valid network traffic. This new technology will enable deep inspection of network traffic and stop or limit distribution of this malicious content.
Spam Tools: Because viruses, worms and other malicious code often spread via spam, Microsoft is waging a multi-pronged anti-spam effort. Last November, Microsoft announced SmartScreen Technology, a filter used in our client and online email programs. It gets progressively "smarter" as email users train the filter to identify unwanted spam. Last month, Microsoft unveiled a pilot implementation of Caller-ID, a technology that authenticates the origin of email, much like telephone Caller-ID. On the enforcement front, meanwhile, the company took 66 legal actions last year against spammers worldwide.
|
|
|
|
Post by StRiDeR on Apr 1, 2004 15:32:41 GMT 8
Client Inspection: At the corporate level, one of the biggest concerns is home computers or remote laptops infected with a virus or worm that are connected to a corporate network. We are working on technologies that will inspect these remote devices and block network access if they don't pass a health inspection.
Web Services: The delivery in 2002 of WS-Security, a standardized specification that improves the integrity, confidentiality and security of Web Services, will help businesses link systems internally and externally in a more secure, cost-efficient and flexible way by allowing for the encryption of messages and support for digital signatures. A recent report by the WS-I Security Profile Working Group outlines new countermeasures to combat challenges and threats in building interoperable Web services.
Updating
Until now, software updates have been the primary way that customers protect against security vulnerabilities. Although the evolving nature of threats requires a broader, multi-pronged response, Microsoft is continuing to make significant upgrades to the quality of our updates and associated processes, and building more advanced tools to help IT administrators optimize their infrastructure for security.
Last fall, we moved to monthly releases of updates to improve predictability and manageability, and to reduce the burden on IT administrators (although we will continue to release updates out-of-cycle to protect customers in the case of an active threat). We also are improving testing processes to minimize update inconsistencies and recall rates, and by this summer most of our updates will have full rollback capabilities.
System Management Server 2003, launched last November, is a comprehensive update and software management and distribution solution that enables organizations to quickly and easily deploy the latest updates in a systematic manner. In January, we released Microsoft Baseline Security Analyzer v1.2, a free tool that provides a streamlined method of identifying common security misconfigurations.
Windows Update Services, an evolution of Software Update Services 1.0 (SUS), is a major step forward in Microsoft's patch and update management strategy. A free component of Windows Server, Windows Update Services gives IT administrators a seamless update, scanning and installation capability for Windows servers and desktops. New features include the ability to provide customers with additional automation and control that reduces interruption when updating systems, and expanded functionality to update SQL Server, Exchange Server, Office 2003 and Office XP, in addition to Windows. It is currently in beta and scheduled for release in the second half of 2004. For consumers, we are also complementing Windows Update with a new service to automatically keep consumers up to date on a broader set of Microsoft products beyond Windows. This new service, called Microsoft Update, will be available later this year.
We are also incorporating the ability to automatically check the status of crucial security functionality such as firewall, automatic update and anti-virus. A new Security Center feature in the Windows XP Control Panel will tell a customer whether key security capabilities are turned on and up to date. When a problem is detected, they will receive a notification and recommended actions to help them become more secure.
Authentication and Access Control
Computer networks are no longer closed systems in which a user's mere presence on the network can serve as proof of identity. In an era where millions of computing devices are interconnected, and vendors and partners often have access to an organization's network, there are many potential opportunities for unauthorized individuals to gain access to digital information such as e-mail, e-commerce transactions or proprietary files. In this environment, access control (who, what and when) and authentication are critical aspects of ensuring an organization's security.
Passwords: Passwords provide the most common mechanism for authenticating users who need access to computers and networks. They also can be a weak link if users choose common passwords to more easily remember them. The Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup. If the password is blank or does not meet complexity requirements, a dialog box warns of the dangers of not using a strong password. We also are expanding our support for strong, two-factor authentication mechanisms through partnerships with companies like RSA Security, Inc. and VeriSign, Inc.
Smartcards: Windows Server 2003 and Windows XP also support smart cards, credit-card-sized devices that securely store certificates, public and private keys, passwords, and other types of personal information. Logging on to a network with a smart card provides a strong form of authentication because it uses cryptography-based identification and proof of possession of the private key held on the smartcard when authenticating a user to a network; in other words, something you have and something you know.
Public Key Infrastructure (PKI): Windows Server 2003 includes features to help organizations implement a public key infrastructure, including certificates and associated services and templates. A PKI provides the mechanisms needed to support issuance and life-cycle management of digital certificates. By trusting the digital certificate issuing authorities, other parties can independently determine the identity of clients presenting the digital certificates for authentication purposes. Use of this authentication technology can provide strong authentication based on industry standard public key cryptographic technology.
Biometric ID Card: Farther out, the Tamper-Resistant Biometric ID Card system will provide an innovative, simple and affordable solution for providing cryptographically secure photo-ID cards using a unique combination of public key cryptography, compression and barcode technologies.
IPsec: Another important component of a comprehensive defense-in-depth information protection strategy, IPsec eliminates many threats by mutually authenticating computers and restricting incoming network traffic based on that authentication. In addition, it provides for digitally signing traffic to ensure integrity, and encrypting traffic to provide privacy. Microsoft's IPsec implementation—in use in our own corporate network—is completely standards-compliant and will interoperate with all other compliant IPsec implementations, including those that support network address translation.
|
|
|
|
Post by StRiDeR on Apr 1, 2004 15:33:24 GMT 8
QualityAs we've said before, Microsoft is strongly committed to using state-of-the-art engineering practices, standards and processes in the creation of our software. We have undertaken a rigorous "engineering excellence" initiative so that our engineers understand and use best practices in software design, development, testing and release. The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers. The number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release. With Exchange 2000 SP3, there was just 1 bulletin in the 21 months after its release, compared to 7 bulletins in the 21 months prior. We also have had some great success developing new internal tools that automatically check code for common errors, and more thoroughly test software before its release. For example, we use code-checking tools that automatically search for classes of bugs that can lead to security vulnerabilities, program crashes and hangs. We have committed to making these engineering advances available to other software developers through training and tools, including the next release of Visual Studio. In Service Pack 1 for Windows Server 2003, we will continue efforts to reduce surface attack area by removing older, unused technology. Customer Education and PartnershipsThe best technologies in the world are ineffective if people don't know how to use them, or aren't aware they exist. With hundreds of millions of computer users around the globe, and varying levels of knowledge about security, this is a major challenge, but Microsoft is investing significantly to help customers understand how they can make their environments more secure. By the end of this year, our aim is to reach 500,000 business customers worldwide with information on how to optimize their systems and networks for security. We're partnering with other industry leaders to help business customers optimize update management and security solutions. And we're providing seminars and publications for developers to help them build secure applications and Web services. Starting in April, Microsoft will host the first of 21 Security Summits in cities across the U.S., intended to provide deep technical security training for IT and Developer professionals. This training, offered at no charge, complements a variety of other opportunities Microsoft is providing for customers to help protect their computers and networks, including Webcasts, self-paced learning and hands-on labs. We also are providing security training for customers worldwide, and more information is available from regional Microsoft offices. We have also created a Security Guidance Center for developers and IT pros at microsoft.com/security/guidance, where customers can find in-depth technical guidance, tools, training and updates to help plan and manage more effective security strategies. This free information includes checklists to help perform security-related checks and processes, step-by-step instructions for a broad range of security tasks, and product- and technology-specific guidance to help protect platforms, networks, desktops and data. For consumers, we're working on a worldwide education campaign with computer manufacturers, retailers, ISPs and other partners to create broader awareness of best practices in PC "hygiene," and how to make protection technologies easier to enable. This has three aspects: installing antivirus software, using an Internet firewall, and using the Automatic Update features in Windows to automatically download the latest Microsoft security updates. We have joined forces with companies such as Computer Associates, Network Associates, Symantec, Trend Micro, F-Secure, ISS (BlackICE), Tiny Software and Zone Labs to provide special offers on third-party antivirus and personal-firewall software. We helped form the Virus Information Alliance, which includes 10 leading anti-virus vendors, to help Internet users find information about the latest virus threats affecting Microsoft technology. Last month, the Global Infrastructure Alliance for Internet Safety (GIAIS) was announced to enable even stronger collaboration between Microsoft and Internet Service Providers regarding security issues. Already, GIAIS members performed a critical role in working with Microsoft to identify the virus signatures for MyDoom, and to develop remediation tactics to ensure consumer safety. Security experts from Microsoft also are participating in initiatives sponsored by the Department of Homeland Security and Congress aimed at strengthening the nation's critical infrastructure, ranging from recommended engineering processes in software development, to effective patch management, to how best to create the business ecosystem required to broadly support robust security practices. Microsoft is also working with law enforcement on a global basis to deter hackers from software sabotage. Last November Microsoft established the Anti-Virus Rewards Program, which offers cash rewards for information provided to the FBI or Secret Service that results in the arrest and conviction of those responsible for unleashing viruses and worms. The FutureSecurity is as big and important a challenge as any our industry has ever tackled. It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc. It also requires computer users to be proactive about deploying and managing products. Detailed information to help customers become more secure is at www.microsoft.com/security. Technology has come an incredibly long way in the past two decades, and it is far too important to let a few criminals stop the rest of us from enjoying its amazing benefits. Bill Gates source from: microsoft.com :) p/s: fuh...penat aku baca sampai berpinar2 mata nie :)...tapi berbaloi....tahniah aku ucap kan pada microsoft kerana mereka cipta sistem sekuriti yg canggih manggih nie...syabas bill pagar ;D....kepada sesiapa nak baca...buat air dulu...kopi ke teh ke...baru baca...penat baca ucapan dari bill gate nie...
|
|
