Windows & .NET Magazine UPDATE--Details About the Trojan Attack--June 1, 2004

This Issue Sponsored By

Argent Software

Download: Be Proactive with Real-Time Monitoring!


1. Commentary: Details About the Trojan Attack

2. Hot Off the Press
- Microsoft Plans $300 Marketing Blitz for Windows XP SP2

3. Resources
- Featured Thread: Limit Logons to One
- Tip: I have an Exchange Server 2003 server that runs on Windows Server 2003 and has more than 1GB of memory. What settings should I add to the boot.ini file to optimize virtual-memory usage?

4. New and Improved
- Estimate Event-Log Data Volume
- Monitor USB and Serial Device Activity
- Tell Us About a Hot Product and Get a T-Shirt!

==== Sponsor: Argent Software ====

Free Download: Monitor Your Entire Infrastructure with ONE Solution
The Argent Guardian monitors servers, applications, any and all SNMP-compliant devices as well as the overall health of the entire network at a fraction of the cost of "framework" solutions. Network Testing Labs states that "The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Using a patented Agent-Optional architecture, the Argent Guardian is easily installed and monitoring your infrastructure in a matter of hours. Download a fully-functioning copy of the Argent Guardian at:


==== 1. Commentary: Details About the Trojan Attack ====
by Paul Thurrott, News Editor, [email protected]

Last week, I discussed my disillusionment with Windows security and mentioned a Trojan horse attack that rendered my notebook almost unusable. However, I didn't provide any details about the Trojan, which led to a bunch of email from curious readers. Sorry about that: I wasn't trying to be coy; I didn't have enough details about the attack to write about it in last week's commentary. This week, however, I'd like to describe the Trojan and explain how I got it.

As I often do before a trip, I prepped my laptop with the latest versions of my documents the night before I left and wrote a few DVD backups. Although I'm a big fan of personal information managers (PIMs) and PDAs, I also value the handiness of paper printouts, so I always print my trip itinerary: A printout typically includes flight, car rental, and hotel information, but this was a short trip, so I only needed to print my train schedule. But here's the problem: I'm using a NETGEAR print server that's incompatible with the Windows Firewall in Windows XP Service Pack (SP2), so when I need to print from an SP2 box, I must temporarily disable the firewall. I did so, printed the schedule, and was then distracted by my son, Mark. That was mistake number one: I forgot to immediately re-enable the firewall, as I typically do.

Mark was playing a video game on my desktop PC and had run into a tough spot. Being the good father that I am, I offered to step in and play the game for him and see whether I could complete the sequence he was having trouble with. Embarrassingly, I couldn't complete it either, so I decided to look up a walkthrough for the game online. I launched Microsoft Internet Explorer (IE) and started Googling the game. That was mistake number two: I typically use Mozilla Firefox for Web browsing, but of course, I've been testing the new and improved IE in SP2. As it turns out, many of the links from Google to game walkthroughs are, in fact, front ends to bizarre collections of Trojans, spyware, and other unwanted electronic junk.

I've heard horror stories from other people about the malicious software (malware) they've collected over time, and I've spent a lot of time helping them remove the invasive little buggers. Although I've occasionally experienced some malware on my own PCs, the truth is, I keep my systems pretty safe. I run Symantec AntiVirus Corporate Edition on my network and regularly install and run Lavasoft's Ad-aware Plus 6.0 for detecting and removing malware and spyware. One feature that I like about XP SP2's version of IE is that I can configure it to not load spurious application add-ons (or plug-ins). However, SP2 doesn't go far enough: IE doesn't offer any way to permanently remove these add-ons, and SP2 doesn't offer any sort of integrated, system-level, malware detection and prevention technology. Clearly, this is a feature Windows desperately needs.

After I had helped my son with his deeply technical problem, I returned to my trip preparations, re-enabled the firewall, and got back to work. That's when I noticed the problems. IE windows were spontaneously popping up and disappearing. When I manually opened IE, I saw a new toolbar (identified as blehdefyreal in IE's Manage Add-ons window) and a new home page ( And windows were popping up asking me whether I wanted to install an application that, ironically enough, offered to clean my system of malware. Cute.

After disabling the blehdefyreal toolbar in IE, I used a variety of utilities to track down the offending code, including Ad-aware, Simply Super Software's Trojan Remover, Spybot Search & Destroy, and a few others. Every utility found something to complain about, but none eliminated the problem. I manually deleted suspicious folders in Program Files. I also looked at the running tasks in my system and found a few suspicious entries. Windows' built in Task Manager is useless for this task (ahem), of course, because you can't see which applications are loaded inside of the various svchost.exe application host environments. So I used Sysinternal's Process Explorer to find out what was going on.

One suspicious application was called TV Media (tvm.exe); another was Kind vc (POLL EACH.exe). I killed both processes and used regedit.exe to search for them in the registry. Both were in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run subkey, which meant they would be instantiated each time Windows rebooted. So I removed those entries and kept searching. Nothing. Thinking I was getting on top of the situation, I watched one of the spyware detectors do its thing when, bam, an IE window suddenly popped open, then disappeared. With an uneasy feeling in the pit of my stomach, I relaunched regedit.exe. Sure enough, tvm.exe and POLL EACH.exe were back. Unbelievable.

Looking through the IE history, I discovered that the pop-up IE window had visited, and that site attempts to launch various other pop-ups. Firefox simply presents a blank page and notes that the page attempted to display unrequested pop-up windows. In XP SP2's IE, there's a popping sound (which I believe is related to a blocked pop-up), but then the IE window closes. Clearly, some damage has been done. And those pesky autolaunch applications keep appearing in the registry, and I can't figure out what's automatically spawning the IE window.

Last week, I noted that I would ultimately be forced to wipe out this machine and start over, but I decided to see whether anyone has any experience with this particular problem. I've also received two offers of help from individuals at Microsoft, and I'll probably take them up on those offers. I'm surprised that so little online information about these problems exists. Google searches have been curiously ineffective, leading me to wonder whether this Trojan is a recent development. For the record, it doesn't appear to damage or delete data, but time will tell. In the meantime, this laptop will be quarantined offline.

I had hoped to present the Laptop of the Month today, but I'm out of space, so I'll tackle that next week. In the meantime, if you have any experience with the problems I've described or any advice, I'm all ears. I'll present the conclusion (I hope) of this nasty little episode next week.


==== Sponsor: Download: Be Proactive with Real-Time Monitoring! ====

There are two ways to manage your critical systems: Reactive and Proactive. ELM Enterprise Manager supports the latter. ELM Enterprise Manager is the affordable solution that monitors the health and status of your systems in real-time, provide easy to access Views, and alerts you in time to take prompt corrective action. Be proactive, download you FREE 30 day full featured trial copy of ELM Enterprise Manager NOW and start experiencing the benefits of real-time monitoring.


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Plans $300 Marketing Blitz for Windows XP SP2
Microsoft will spend $300 million marketing its biggest security release ever, Windows XP Service Pack 2 (SP2). But the big question about XP SP2 isn't the price, it's the timing. When, exactly, will Microsoft see fit to release this most disruptive of Windows updates? Read more about this topic at the following URL:

==== Announcements ====
(from Windows & .NET Magazine and its partners)

New Chapter Available--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003"
Chapter 4 is now available, "Database Strategies and Server Sizing." This free eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. You’ll learn about core issues such as configuration management, accounting, monitoring performance, and more. Get the latest chapter now!

Chapter 2 Available Now--"Preemptive Email Security and Management"
This free eBook will offer a preventive approach to eliminating spam and viruses, stopping directory harvest attacks, guarding content, and improving email performance. In this new chapter, learn evolving techniques for eliminating spam, email virus, and worm threats. Download this eBook today!

Windows & .NET Magazine Announces Best of TechEd Winners!
Windows & .NET Magazine and SQL Server Magazine announced the winners of the Best of TechEd 2004 Awards. The field included more than 260 entries in 10 categories. Winners were announced at a private awards ceremony on Wednesday, May 26 at TechEd. Click here to find out the winners:

==== Instant Poll ====

Results of Previous Poll: Home Computer Attacks
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Has your home computer ever been hacked or hit with malicious software (malware)?" Here are the results from the 390 votes:
- 38% Yes, once or twice
- 7% Yes, often
- 51% No, never
- 3% I don't know

(Deviations from 100 percent are due to rounding error.)

New Instant Poll: Spyware-Detection Software
The next Instant Poll question is, "Do you run any type of spyware-detection software on your home systems?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, spyware detection is part of my Internet security package, b) Yes, I run standalone spyware-detection software, c) No, I run no spyware-detection software, or d) I don't know.

==== 3. Resources ====

Featured Thread: Limit Logons to One
Forum reader Oberion wants to know how to limit the number of workstations a user can log on to at one time. Currently, users can log on to as many workstations as they want. If you can help, join the discussion at the following URL:

Tip: I have an Exchange Server 2003 server that runs on Windows Server 2003 and has more than 1GB of memory. What settings should I add to the boot.ini file to optimize virtual-memory usage?
by John Savill,

On pre-Windows 2003 systems that have more than 1GB of memory, it was common to add the /3GB setting to the boot.ini file to optimize Microsoft Exchange Server Information Store (IS) virtual memory usage. On a Windows 2003 system, you must specify an additional setting in boot.ini: /USERVA=3030. The /USERVA=3030 setting splits the virtual memory allocation between user mode and kernel mode. This memory allocation lets Exchange allocate an additional 40MB of memory to the kernel for page table entries, which improves an Exchange 2003 server's scalability. The following sample boot.ini entry shows the use of the /3GB and /USERVA=3030 settings:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003" /fastdetect /3GB /USERVA=3030

==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New Web Seminar--Shrinking the Server Footprint: Blade Servers
In this free Web seminar, you’ll learn how blade servers provide native hot-swappable support, simplified maintenance, modular construction, and support for scalability. And we'll talk about why you should be considering a blade server as the backbone of your next hardware upgrade. Register now!

==== 4. New and Improved ====
by Angie Brew, [email protected]

Estimate Event-Log Data Volume
Dorian Software Creations released Auditing Volume Analyzer, a free tool designed to help network administrators better estimate the volume of event-log data that their networks generate. Auditing Volume Analyzer examines event-log files on multiple Windows systems to provide an estimate of log-file growth rates and storage requirements. The tool runs on Windows 2003/XP/2000/NT systems. You can download the software at Contact Dorian Software Creations at [email protected]

Monitor USB and Serial Device Activity
HHD Software released USB Monitor and Serial Monitor, applications that monitor your USB device activity and serial devices. USB Monitor puts a filter driver between the host controller and the device driver to track data that's transferred between the device and the device manager and to capture USB Request Blocks (URBs). The program decodes each URB's contents by using basic to detailed schemes. Serial Monitor attaches to the serial port driver to monitor all software serial port activity. You can configure Serial Monitor to log data for future analysis. The applications require 64MB of RAM and 4MB of free hard disk space. For pricing, contact HHD Software at [email protected]

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Link ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?


==== Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:
Argent Software -- -- 1-860-674-1700

Secondary Sponsor:
TNT Software -- -- 1-360-546-0878


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Manage Your Account
You are subscribed as #EmailAddr#. Windows & .NET Magazine a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.