New M$ virus affects all versions of M$ Windows?!

[digitalgadfly]

There seems to be a new "virus" propagating around out there that they say in not a worm or virus in source code nature. And the method of attack is unknown, all they say is that the attack is automated.

Microsoft posted a mysterious alert on its product support services (PSS) page. The alert warns of a hack attack that locks out users, installs backdoor programs, and gives an attacker remote access via IRC.

For some reason this doesn't suprise me. All you can do for now is scan your computer for the certain files that are showing up on "infected" systems.

The PSS team says infected systems contain the following files:
Gg.bat
Seced.bat
Nt32.ini
Ocxdll.exe
Psexec
Ws_ftp
Flashfxp
Gates.txt

That is a pretty hefty list of files if you are doing a manual file scan. You can read the whole story here and basically the same article put out by microsoft here .

I was wondering if this has hit anyone on here? All of our boxes are clean, and I have heard no talk of this anywhere.

edit: If anyone has this "virus" on their system I would like to see the files, you know see how it works and try to implement a stronger security policy relating to this.

[t2k2]

I haven't heard of anything of this as of yet. I am sure I will soon. I haven't read the article yet, but maybe our network will be a little safer than some since we don't allow irc to get through the firewall. Who knows? I will definitely have to read this article. Thanks for the info.

[Alex]

Uh-oh.... If MS doesnt give lots of details its no good.... Is there any patch available or is it just Run a virus scan and see what happens

[omalakai]

I found a post here where someone did an analysis on the files used in this attack. Specifically, go to the post on Sept 4.

And the "warning" from Microsoft is terrible! Could it be any more cryptic?

[lobo]

Waz up, well you say of another MS problem. well if they have not fix it yet there is problem in the (SSL) THAT is letting peeps crack in and put in codes in to banks computers and when the custumers goes to make a transfer the codes that the hacker/Cracker has put in there will make transfers of it's on there was a post about this on antionline but i could not find it agin feel free to look for it.

see ya

[uraloony]

Well, I scanned my comp and I was clean of all files except gates.txt. It was full of IP addies and server listings... Idk what it means. Oh well.

[darkes]

I liked this quote as reported by: http://www.wired.com/news/technology...,54942,00.html

In responding to the MS alert, Harlan Carvey, a security engineer with a financial services firm, said:

"It's easily one of the most unprofessional pieces of crap I've ever read. Vague, indirect, doesn't say anything useful at all."

Couldn't have put it better myself

P.S. If the MS alert makes any sense at all, I think it is saying that this (whatever it might be) only affects Win2k/XP - not that this really helps much ...

[powertoad5000]

MS have decided that what was originally an unknown form of attack is acutally a mIRC Trojan-Related Attack.

http://support.microsoft.com/default...;en-us;Q328691

UPDATE: As of September 6, 2002, reports of malicious activity that follow the particular pattern that is outlined in this article have lessened significantly. The Microsoft Product Support Services Security Team has modified this Microsoft Knowledge Base article to reflect this information and to refine suggestions for detection and repair criteria.

Here is an article which investigates Microsoft's backflip on the 'vulnerability':

http://www.theregister.co.uk/content/55/27007.html

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

Anyone surprised?

[Tedob1]

how about the way they blame the people that become infected. blaming unpatched or misconfigured servers...damme bitch was asken for it.

[retoor]

Wonder what´s in Gates.txt... Bet it´s funny!