Security UPDATE--New Worms Target Unpatched Web Servers--May 5, 2004


==== This Issue Sponsored By ====

Ecora Software

Exchange & Outlook Administrator


1. In Focus: New Worms Target Unpatched Web Servers

2. Security News and Features

- Recent Security Vulnerabilities

- News: Problems with Microsoft's Patch MS04-011

- News: Need ISC Bind DNS Support?

- News: Network Associates to Consolidate and Change Name

- News: Microsoft Presents Antispyware Strategy

3. Instant Poll

4. Security Toolkit


- Featured Thread

5. New and Improved

- All-in-One ADSL Modem, Firewall Router, and Switch


==== Sponsor: Ecora Software ====

Rely on our great reports to make your patch management headaches go away! Start automating your backlog of security patches today! Network Computing magazine has just named our previous version as the "Editor's Choice" tool for Patch Management. Our newest version is loaded with even more high-performance benefits such as 500% faster scanning and analysis loading, cross-platform support, enhanced user interfaces, policy compliance features, and our great admin and management reports. Go directly to our free trial page and see for yourself, first-hand, what our automated patch solution is all about. Special Bonus: The first 100 people to trial Patch Manager 3.1 from the link below will receive a FREE T-Shirt. Try us now-


==== 1. In Focus: New Worms Target Unpatched Web Servers ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Last week, I wrote about the most recent security patches from Microsoft as well as new exploits that take advantage of related problems. I also mentioned that if you haven't loaded the Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) patch, then your systems are sitting ducks. As it turns out, duck hunting season just opened.

Several worms are now spreading and taking advantage of problems that can be remedied by the MS04-011 patch. According to the SANS Institute's Internet Storm Center, variants of the Gaobot worm target systems that don't have the MS04-011 patch. In addition, at least three variants of the Sasser worm target the same vulnerabilities.

Of course, all the companies that provide preventive measures, including makers of antivirus software and Intrusion Detection Systems, are updating their tools to provide protection. Some have also provided removal tools in case your systems have become infected by the Sasser worm variants. If your systems have become infected and you need quick help removing worms, check with your antivirus vendor to determine whether it's released Sasser removal tools.

Microsoft has released a bulletin regarding the Sasser worm as well as a tool that helps with worm removal. You can find it at the first URL below. If you need help with worm removal, remember that Microsoft provides free support for security matters. United States and Canadian residents can reach the company toll free at 866-727-2338, or anyone can go to the second URL below and click the "Send us an online request for support" link.

If you've loaded the patch already and have experienced problems or if you're considering loading the patch soon, be aware that known problems with the patch might affect your network environment. For more information, see the first News item below.


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Problems with Microsoft's Patch MS04-011

The Microsoft article "Your computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent after you install the security update that is described in Microsoft Security Bulletin MS04-011," , released on April 28, discusses problems that have been discovered in the recently released Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows). According to the article, problems can arise on Windows 2000 OSs if any of three drivers (ipsecw2k.sys, imcide.sys, or dlttape.sys) are loaded. People might experience lockups at boot time, the inability to log on, or 100 percent CPU utilization.

News: Need ISC Bind DNS Support?

Nonprofit company Internet Software Consortium (ISC), makers of ISC Bind DNS software, have announced the availability of support contracts. You can choose 24 x 7 support, 12 x 7 support (from 8 A.M. to 8 P.M., Eastern Standard Time--EST), or 9 x 5 support (from 9 A.M. to 6 P.M., EST, Monday through Friday).

News: Network Associates to Consolidate and Change Name

Network Associates announced that the company will sell its Sniffer product line, focus exclusively on security solutions, and change its name to McAfee. Silver Lake Partners and Texas Pacific Group will buy the Sniffer technology for $275 million.

News: Microsoft Presents Antispyware Strategy

Deceptive software, also known as spyware, now accounts for more than 50 percent of the Windows failures reported to Microsoft and is becoming an important industry concern. Microsoft's partners report that spyware is the number-one support problem and is costing the industry millions of dollars a year in support costs. Microsoft and other companies detailed to the US Federal Trade Commission (FTC) the steps they're taking to reduce the threat and problems spyware causes.


==== Announcements ====

(from Windows & .NET Magazine and its partners)

The Conference on Securing and Auditing Windows Technologies, July 20-21

New for 2004, The Conference on Securing and Auditing Windows Technologies will be held July 20-21, 2004, at the Fairmont Copley Plaza in Boston, MA. In vendor-neutral sessions on today's hottest topics, you'll get practical strategies for mitigating risk and safeguarding your systems. For more information, call 508-879-7999 or go to:

Register Today for Microsoft Tech Ed 2004

Dont miss Tech Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the definitive Microsoft conference for building, deploying, securing and managing connected solutions. You'll find 11 conference tracks and over 400 sessions. Get answers to your technical questions, meet industry experts, evaluate new products, and take advantage of extensive networking opportunities. Register today.

Small Servers for Small Businesses Web Seminar

Today a small business can be as agile as a large business by understanding which technology can be leveraged to create a centralized server environment. In this free Web seminar, you'll learn the perils of peer-to-peer file sharing, backup and recovery, migration from desktop to servers, and Small Business Server basics. Register now!


==== 3. Instant Poll ====

Results of Previous Poll

The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "As a security administrator, what's your most important task?" Here are the results from the 77 votes.

- 43% Security monitoring and auditing

- 13% Policy management and enforcement

- 23% Patch management

- 19% End-user education

- 1% Other

(Deviations from 100 percent are due to rounding.)

New Instant Poll

The next Instant Poll question is, "Has your company become infected by the Sasser or Gaobot worm?" Go to the Security Web page and submit your vote for

- Yes

- No

- I'm not sure

==== 4. Security Toolkit ====

FAQ: Password-Change Web Page

by John Savill,

Q: How can I create a Web page at which users can change their passwords?

A. You can write an Active Server Pages (ASP) script that creates a password-change Web page. ASP gives you complete access to Microsoft Active Directory Service Interfaces (ADSI), which lets you perform a variety of functions, such as changing passwords or creating accounts. When you write such a script, you must consider factors such as the user account under which the script will run and the permissions you want to use when the script runs. To see a script and further explanation, go to this FAQ on our Web site.

Featured Thread: Group Membership Issue (findgrp error 234)

(Three messages in this thread)

A reader writes that he has a problem with the membership of user accounts in global groups. One symptom is that some applications are not aware of local or domain administrator rights and those applications don't allow installation or configuration. When the reader executes the findgrp command (from the Microsoft Windows 2000 Resource Kit) he receives error 234, "finding global groups: Unknown Error: 234." However, the local groups are listed correctly.

The reader is using Windows XP Professional Service Pack 1 (SP1) and all patches in a Windows 2000 Server Active Directory (AD) environment. As far as he can determine, only XP systems have this problem. He thinks a particular patch might be causing the behavior and would like advice. Lend a hand or read the responses:


==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

Popular Web Seminar--The Spam Problem Solved: Hensel Phelps Construction Company Case Study

Find out how Hensel Phelps Construction, a multibillion-dollar national contractor, has implemented a multilayered antispam solution to increase user productivity and decrease the burden on IT staff resources, infrastructure, and budget. Sign up now for this free Web seminar!


==== 5. New and Improved ====

by Jason Bovberg, [email protected]

All-in-One ADSL Modem, Firewall Router, and Switch

TRENDware International announced TEW-435BRM and TW100-BRM504, all-in-one ADSL modem, firewall router, and four-port switch packages for the small office/home office (SOHO) environment. TW100-BRM504 is designed for wired networks, whereas TEW-435BRM supports both wired and 802.11g wireless networks. Advanced security features include Stateful Packet Inspection (SPI) and a Rules-Based Firewall. You can control users' Internet access by URL, time, and MAC address, and you can use the product's logs and reports to monitor intrusion attempts and traffic. For more information, contact TRENDware International at 310-891-1100 or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====


Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Microsoft(R) TechNet

Microsoft(R) TechNet Webcasts: essential guidance, industry experts;7759917;8214395;c?


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:

Ecora Software -- -- 1-877-92-ECORA


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.