Windows & .NET Magazine UPDATE--My Trojan War Becomes a Quagmire--June 8, 2004

1. Commentary: My Trojan War Becomes a Quagmire

2. Hot Off the Press
- Microsoft Cleared in Brazilian Antitrust Case

3. Resources
- Featured Thread: Unknown UDP Traffic Locks Up Network
- Tip: Does acctinfo.dll work with Windows 2000 Server?

4. New and Improved
- Back Up Crucial Data
- Test and Deploy Applications on VMs
- Tell Us About a Hot Product and Get a T-Shirt!

==== Sponsor: NEW White Paper - Decision Point: Evaluating SBS 2003 for Your Business ====

In this free white paper from HP, you'll learn what SBS 2003 can and can't do, explore common scenarios surrounding small to midsized business needs, see how SBS 2003 fits into those scenarios, and discover what steps you need to take to upgrade or migrate your existing network structure to SBS 2003. Download this complimentary White Paper now!
http://www.winnetmag.com/whitepapers/hp/evaluatingSBS

==== 1. Commentary: My Trojan War Becomes a Quagmire ====
by Paul Thurrott, News Editor, [email protected]

For the past 2 weeks, I've been discussing my first major electronic Trojan horse attack, which appears to have lodged some sort of self-replicating code in a Windows XP Service Pack 2 (SP2)-based laptop. After describing the attack in detail last week ( http://www.winnetmag.com/article/articleid/42845/42845.html ), I received an astonishing 200+ email messages from readers, all chock-full of advice about how I might combat the Trojan. Words can't begin to express my thanks for the level and quality of these responses. I've said it before, and it's still as true as ever: Windows & .NET Magazine UPDATE readers are an incredible lot, and thanks so much for all the help.

So I spent the better part of last week going through the tips and advice one email message at a time, trying to figure out how to wipe out the Trojan without wiping out the system, a tactic I refer to sarcastically as "nuking it from space," an allusion to the 1986 sci-fi movie classic "Aliens." And frankly, I'd have wiped the partition out a week ago and started over, but I feel a certain obligation to see whether I can't fix the machine--for two reasons: Solving the problem might help others (and it's clear from all the email I've received that this sort of attack is a big concern); and Microsoft has gotten involved because it's readying the security-centric XP SP2 release, which doesn't offer a complete solution for this new type of threat (though, frankly, Windows Firewall could have prevented it from happening in the first place). I'm willing to help the company with a solution, I suppose, but it's difficult to remotely fix this sort of problem, and I'm not excited to pack up the machine and ship it to Redmond if it comes to that.

But sadly, I can't claim to have made much progress in the past week, although I've certainly tried just about everything. It's hard to explain how frustrating this problem has been, though I get the feeling many of you have experienced this same frustration, based on your email messages. What's interesting is that, though many people appear to have had similar attacks, none involved the same files, registry settings, or other attributes, suggesting that this attack is a bit more sophisticated than your standard Trojan attack.

There have been a few glimmers of hope. Eugene Curran recommended an excellent product--Tiny Software's Tiny Personal Firewall (TPF--http://www.tinysoftware.com)--that mitigates the problems the malicious software (malware) causes but doesn't remove the offending code: While TPF is running, the registry doesn't automatically spawn references to TV Media (tvm.exe) after I manually delete the references, and Microsoft Internet Explorer's (IE's) home page isn't hijacked by http://www.allaboutsearching.com, which are the two remaining symptoms at this time. But when I turn off or disable TPF, these symptoms return. TPF has given me a somewhat acceptable way to use the machine while I wait for a fix, but the offending launch code is still hiding somewhere on my machine, and it's wearing on me. (Tvm.exe doesn't exist, however, so the hidden launch code can't actually do anything.)

Here's why I think TPF works: The latest version of the firewall, TPF 5.5 build 1332, includes a unique new feature that, according to the company, "adds robust protection against all unknown spyware which based their existence on injecting malicious code into applications you normally trust." Also, TPF is a two-way firewall, compared with XP SP2's inbound-only Windows Firewall, so it prevents installed Trojans from doing any damage after the fact. This is a feature SP2's Windows Firewall sorely lacks.

Through various means, I've managed to eliminate parts of the attack's effects. The references to POLL EACH in the registry are gone and haven't returned. The inscrutable blehdefyreal toolbar in IE is also gone, although I wish that Microsoft had provided an automated way to remove such add-ons in XP SP2's new Manage Add-on tool for IE 6.0, which can only enable or disable (but not remove) IE add-ons. But the TV Media references (but not the tvm.exe application) and IE home-page hijacking, as previously mentioned, remain.

I don't understand why it's impossible to find the hidden process that's making changes to this system. With all the registry and process watchers I've tried and all the antispyware utilities I've run, it should be a fairly straightforward process to find the thing and rip it out. But I've had no luck at all.

Therefore, I'll need to postpone the conclusion to this sad little epic to yet another week: Some experts at Microsoft are investigating the problem, and I hope to have a more definitive conclusion and perhaps a step-by-step guide to fixing this sort of problem sometime soon. Again, thanks to everyone who wrote me: Your help is very much appreciated. I wish I had better news.

Users and Administrators
On a related note, several readers mentioned that they hoped I hadn't been running the laptop with an Administrator-level account. Sadly, on a nonmanaged XP machine today, it isn't realistic to run without Administrator privileges. Unlike UNIX and UNIX-like systems such as Linux and Apple Computer's Mac OS X, Windows isn't very useable with a non-Administrator account, largely because so many applications are ignorant of rights and were written to work only with Administrator-level accounts. This is particularly problematic in a home environment, in which XP Home Edition's crippled Limited Account type, designed for children and less-technical users, is virtually useless. The machines I use are all using XP Professional Edition, of course, but the net effect is the same: Unless and until Microsoft changes the way local user accounts work and gets application and driver writers to sign on board, it's not possible to take this obvious step toward securing an unmanaged Windows system unless you're willing to give up a lot of functionality.

By comparison, consider how simple tasks in Mac OS X work. Even if you log on with an Administrator account, some tasks, such as running Software Update Services (SUS) or installing applications, require you to provide your password again, interactively, when you run them. This approach is a simple yet effective way to ensure that you intend to perform an activity that will change configuration settings or potentially damage the system. In Windows, the lame Run As option, virtually hidden under a right-click menu that typical users will never know about, is a poor substitute. As with the lack of spyware tools and a true two-way firewall in XP SP2, this is an area in which Microsoft needs to invest in the future.

==== Sponsor: Windows & .NET Magazine ====
Get 2 Sample Issues of Windows & .NET Magazine!
Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!
http://www.winnetmag.com/rd.cfm?code=fsep204xup

==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Cleared in Brazilian Antitrust Case Last week, after 6 years of investigation, the Brazilian government cleared Microsoft of allegations that the company prevented competition in the country's software sector. The antitrust win was a rare one for the software giant, which for the past few years has found itself the subject of major anticompetitive court cases in the United States and Europe. To read the complete article, visit the following URL:
http://www.winnetmag.com/article/articleid/42875/42875.html

==== Announcements ====
(from Windows & .NET Magazine and its partners)

Get 2 Free Sample Issues of SQL Server Magazine!
If you're a SQL Server developer or administrator, SQL Server Magazine is a must-read. Subscribe and gain access to a library of hot topic discussions related to SQL Server 2005, reporting services, and much more. Learn from a treasury of articles, experts, savvy tips, and code listings that will give you the answers you're looking for. Order now:
http://secure.pentontech.com/nt/sql/index.cfm?promocode=fsep2146fw

Windows & .NET Magazine Announces Best of TechEd Winners!
Windows & .NET Magazine and SQL Server Magazine announced the winners of the Best of TechEd 2004 Awards. The field included more than 260 entries in 10 categories. Winners were announced at a private awards ceremony on Wednesday, May 26 at TechEd. Click here to find out the winners:
http://www.winnetmag.com/windowspaulthurrott/article/articleid/42789/windowspaulthurrott_42789.html

Does Your Company Currently Use Microsoft Windows NT Server?
If your answer is "yes," Windows & .NET Magazine wants your opinion! Take a short survey and register to win an Xbox. Click the link below to help us understand why more than 3 million servers currently run Windows NT Server. Give your opinion about consolidating file print servers and upgrading to Windows 2003.
http://websurveyor.net/wsb.dll/12237/ntserver.htm

==== Instant Poll ====

Results of Previous Poll: Spyware-Detection Software
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Do you run any type of spyware-detection software on your home systems?" Here are the results from the 664 votes:
- 14% Yes, spyware detection is part of my Internet security package
- 77% Yes, I run standalone spyware-detection software
- 9% No, I run no spyware-detection software
- 0% I don't know

New Instant Poll: Security Duties
The next Instant Poll question is, "What's currently the main focus of your security-related administrative duties?" Go to the Windows & .NET Magazine home page and submit your vote for a) Tightening general security, b) Defending against network attacks, c) Defending against Web site attacks, d) Filtering junk email, or e) Controlling employee surfing habits.
http://www.winnetmag.com/magazine

==== 3. Resources ====

Featured Thread: Unknown UDP Traffic Locks Up Network
Forum user SteveSavage says that one of his company's servers is generating unknown UDP traffic that floods the network, rendering the network unusable. The problem seems to be getting progressively worse. Visit the following URL to read the details and join the discussion:
http://www.winnetmag.com/forums/rd.cfm?cid=58&tid=121310

Tip: Does acctinfo.dll work with Windows 2000 Server?
by John Savill, http://www.windows2000faq.com

In the FAQ "What's acctinfo.dll?" (http://www.winnetmag.com/articles/index.cfm?articleid=42657), I examined the functionality of this useful DLL. Many readers responded and asked whether acctinfo.dll works with Win2K. After testing the DLL, I'm pleased to report that it functions just fine under all versions of Win2K Server.

==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

The Exchange Server Seminar Series Coming to Your City in June
Join industry experts Kieran McCorry, Donald Livengood, and Kevin Laahs for this free event! Learn the benefits of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Register now and enter to win an HP iPAQ and $500 cash!
http://www.winnetmag.com/roadshows/exchange2003

==== 4. New and Improved ====
by Angie Brew, [email protected]

Back Up Crucial Data
Perception released Secura Backup 1.43, a Windows backup program that features 128-bit security. The software creates backups to local disks, network paths, FTP sites, and email addresses. Secura Backup features built-in definitions for automatically backing up email, address books, and other crucial Windows data files. The product features a built-in scheduler and rotation queue. You can save the most recent backups and delete old files as Secura Backup creates new ones. Secura Backup 1.43 costs $99.95. Multiuser discounts are available. Contact Perception at [email protected].
http://www.securabackup.com

Test and Deploy Applications on VMs
VMware released VMware Workstation 4.5, the latest version of its virtual machine (VM) software for the desktop. VMware Workstation lets you develop, test, and deploy complex enterprise applications completely on VMs. The product lets you build and test server-class applications in Windows, Linux, or Novell NetWare environments on one desktop. The product features increased memory capacity, automatic product update checks, and Longhorn support. VMware Workstation 4.5 costs $189. VMware Workstation 4.0 customers can upgrade for free. Contact VMware at 650-475-5000 or 877-486-9273.
http://www.vmware.com

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent
Comparison Paper: The Argent Guardian Easily Beats Out MOM
http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts
http://ad.doubleclick.net/clk;7759917;8214395;c?http://www.microsoft.com/technet/community/webcasts/default.mspx

==== Contact Us ====

About the newsletter -- [email protected]
About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:
Hewlett-Packard -- http://www.hp.com