Windows Users Fear Korgo Virus

An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."

Details:

[ack154]

According to Symantec [sarc.com], the F variant of this seems to be the worst, or most prominent. Currently a level 3, here's the SARC page for it: Korgo.F [sarc.com]. There is a removal tool [sarc.com] available as well.

Main details from top of SARC page:

W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.

Happy cleaning.

Re:Details: , Issued: April 13, 2004

[Steve_Jobs_HNIC]

Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)

Issued: April 13, 2004
Updated: May 4, 2004
Version: 1.3

Re:Details: , Issued: April 13, 2004

[Tenareth]

Yes, and the 011 patch also killed about 5% of the machines it was installed on before the May 4 update. Now it only kills about 1%, or about 100 machines in our case. Not to mention the several apps it killed.

Re:Details: , Issued: April 13, 2004

[lseltzer]

>>the 011 patch also killed about 5% of the machines it was installed on before the May 4 update

Where'd you get that number

Re:Details: , Issued: April 13, 2004

[niko9]

Like a maker of questionable vaccines, you're going to have some casualties. :P

Re:Issued two months ago--why was that not mention

[Openstandards.net]

Most of those aren't Linux holes. They are application holes. The difference is that most of the applications you run on Windows are not from Microsoft, and therefore are never included in Microsoft security advisories. When was the last time Microsoft put out a fix for an Adobe vulnerability?

I run RH 9 and FreeBSD 4.9. I looked at the list on the front page, and none of the issues put me at risk.

There are two reasons a person can be unaffected by the vulnerability if they don't patch. One is they don't have or run the affected software. Gnome users that never use KDE aren't impacted by KDE runtime vulnerabilities. The other is that their network is protected enough to render the vulnerability useless (firewall, local IP security, chroot, NAT, etc.)

The only vulnerability I've seen announced this year that I've had any concern about was the CVS one. Fortunately, though, I have yet to open up my firewall for outside access to CVS. When I do, I plan to use SSH, in which case the vulnerability wouldn't have impacted me. Thus, so far in 2004 between the two operating systems I have had no true vulnerabilities.

Sure, you could say the version of MySQL I'm running has the symlink vulnerability. But, if an attacker can't get local non-chroot'd shell access, then what relevance is a symlink vulnerability?

Contrast it to Korgo and Sasser, which hit Windows ports that are opened by default. I can't tell you how many times I see ports 135 and 445 in my daily logs of packet rejections. Plus, the infecting the processess using those ports gives the attack complete control of the sytem.

Windows is plauged by REMOTE vulnerabilities to MICROSOFT software. Linux distrubutions mostly have LOCAL vulnerabilities with the independent APPLICATIONS that are packaged with them, not the operating system itself. Most of these vulnerabilities require LOCAL access and most of this software runs on Windows as well (e.g., Apache), so the vulnerability usually applies to both operating systems, but appears on the linux security alerts simply because they are one of the thousands of optional programs being included on the FOSS CDs. You have to download Apache if you have Windows because Microsoft is not going to include it, and Microsoft isn't going to send you a patch for it, or even post an Errata, just because you are running it on Windows.

I've also administered Windows servers for many years, using Windows 3.1, Workgroups, NT 3.5/4.0, 2000 and XP, and used just about all their software, including Visual Studio, InterDev, IIS, and COM/DCOM. I still run 2000 and XP in addition to RH 9 and FreeBSD. I've developed my opinion from experience securing production servers in both Windows and Linux, as have other people posting on /.

Re:Issued two months ago--why was that not mention

[0racle]

Good of you to propagate this idea, except it doesn't hold water. May I draw your attention to the Apache web server vs. IIS.

Windows is indeed a larger target, but the fact that Windows gets hit more often is its the easier of the two, virus writers are just like the rest of us, lazy. These flaws in Linux differ from those in Windows in that its so much easer to exploit the Windows ones.

Windows has a larger attack area, but whomever is the first to successfully attack and damage Linux in the same way is going to go down in history, whereas who cares about who writes these, there's no skill involved.

Re:Issued two months ago--why was that not mention

[0racle]

Solid numbers, unfortunately no, but we can draw some conclusions. That harbinger of doom Netcraft, in the May 2004 internet survey has 33,892,817 sites running Apache, 67% of surveyed sites, with IIS at 10,858,168, or 21%. If we assume that the Apache sites are nicely split between Apache 1 and 2, thats still 33.5% for each putting both ahead of IIS, which also assumes that there is only one version of IIS deployed, which would be incorrect since 2k has IIS 5 and 2003 IIS 6. Now from what I've heard, Apache 2 is probably deployed less then 1, but either way you slice it, Apache has more sites then any single version of IIS.

Now while an exploit that runs on Sparc wont run on MIPS or x86, the flaw itself is there, and thanks to cross compilers, it wouldn't be much of a problem to recompile a tool to take advantage of any problem.

The part of the story Slashdot didn't report

[Overly Critical Guy]

What a surprise it wasn't mentioned that this was patched months ago, right?

This vulnerability is the LSASS Buffer Overrun Vulnerability, already patched way back on April 13. Slashdot probably had at least two or three articles on it back then as well if you wanna do a search for "sasser."

If you haven't patched after two months, you're just the same as all those people who got hit with Blaster, which was also already patched beforehand. Linux distros issue security patches for their vulnerabilities [linuxsecurity.com] weekly and nobody complains, but when Microsoft releases a patch, suddenly it's this huge issue to run a tiny executable that plugs security flaws, and then people bitch at Windows two months later when a virus comes out to exploit it...

Just saying. How can one criticize their security if they won't apply their security patches? Almost all major software is gonna require a patch eventually. I don't get this steadfast need to avoid patching Windows boxes while freely recompiling Linux kernels on a whim for production servers when a minor point release comes out.

Re:The part of the story Slashdot didn't report

[ack154]

Definitely +5 Insightful.

But IMO, part of the problem is that these people are just "aware" that they have to do updates. I can't count the number of people I've told to go to WindowsUpdate to keep up to date and I get the most clueless looking face I've ever seen...

I think Windows is at the very least, doing an admirable job of patching it's flaws, but you can't force people to update. It's another good step to include the Automatic Updating with Windows now, but it's not automatically turned on.

Re:The part of the story Slashdot didn't report

[foidulus]

Certain places can't just go and blindly patch. If you are running anything critical, you have to throroughly test the patch befor you apply it. If the patch brings down your application/business, then it might not be much worse than a virus. I don't know about Linux, but Microsoft has released some bad patches in the past(that would slow certain functions down to a crawl).
For someone sitting at their pc, the risk of a patch is low, but some people cannot afford to risk their systems on haphazard patching.

Re:The part of the story Slashdot didn't report

[martingunnarsson]

Most Windows viruses use security flaws patched many months before. I think automatic downloading and installation of patches should be mandatory for internet connected computers.

Re:The part of the story Slashdot didn't report

[bluGill]

Yeah, except that some patches are known to break other programs. (generally badly programed software, but not always) They almost always require a reboot to install (forget about mission critical 24x7 servers). They don't always install correctly. (this last is my fault for running 2000 with "only" 64mg of ram, but what else can I do when a DIMM gets bad memory?)

Thats ignoring new systems which don't come patched from the factory. The only [easy] way to get patched is to connect to the Internet wh

Re:The part of the story Slashdot didn't report

[mce]

Who says that an unpatched system has be definition to be in the hands of an ignorant or incompetent sysadmin?

What about those who just bought a new PC that was shipped at tha factory (just) prior to this patch becoming available? Who even guarantees that HP or Dell ship their boxes with the patch on it already?

Or what about someone like me, who is about to reinstall the entire Winblows mess from scratch after a disk crash? Yes, this system had the patch installed within a day of the latter becoming ava

Re:What didn't they report?

[CaptainCarrot]

*Having to mop up the bathroom because your toilet experienced a "buffer overflow" yet again?

I had to deal with this not long ago. I just thought it was bad plumbing, but now I know it's those damn 133t 5kR1p7 k1dd13 h4x0rs again! If only American Standard didn't make such an insecure product! Anyone, absolutely anyone in the house, can just go into the bathroom and leave any kind of shit they want in my toilet and there's not a single security feature to stop them!

And does AS ever release security pa

Re:Details:

[It'sYerMam]

445: microsoft-ds
113: auth
3067: unknown

The first two, at least, are service ports (Why else would something exploit them) So the question is really, "why are they open by default?"

I expect this will be fixed in XP SP2.

The next time I boot into windows, I reckon I'm gonna be destroyed... I haven't updated in ages, so anything that zonealarm misses is heading straight for me.

Re:Details:

[ZiggyM]

Be careful with ZoneAlarm. The current version (5.0) *disables* email virus scanning protection from norton AV and maybe others (regadless of how you configure either program.) This is a known issue that they (zonelabs) has not cared to fix yet.

Re:Details:

[sharkdba]

...so anything that zonealarm misses is heading straight for me.

Well, at least you have zonealarm. My clueless neighbor just recently asked me to check his computer, since he had some "problems" with it. I checked, he had XP w/o any firewall/virus/spyware on it. His computer would reset itself every 7 minutes (I guess some kind of worm) every time he connected to internet.

So, I installed zonealarm and ad-aware from my external HD. When connected to internet I was surprised by how many attempts to conne

Re:Details:

[SatanicPuppy]

It comes with a firewall, but it's like that thing with Outlook where you can tell it "Don't let me download anything that might harm my computer" a handy function that protects you from ever downloading anything, or opening any attachment.

When you turn the firewall on, it blocks a ton of ports, which may or may not include ports it should block (telnet). Needless to say there isn't any way to configure which ports. It's all or nothing.

I've got it on, but god knows if its doing any good, as its behind 2 better firewalls.

Hmmm. Lol. Okay, I just portscanned myself, and despite my setting it to dump ALL non established incoming tcp/ip, it doesn't block a bunch of ports (below), including IIS and 445, though it does block SSH and telnet (then again, those services might not be available for my version of windows, so who the hell knows?)

In conclusion, it sucks, and it won't protect you from this virus.

7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
5000/tcp open UPnP

Re:Details:

[joNDoty]

"Needless to say there isn't any way to configure which ports. It's all or nothing."

Not quite. Turning the firewall on in XP blocks almost all ports EXCEPT those you specify in the "allow" listbox provided. Want telnet's port unblocked? Just look in that list box and check "telnet" as an allowed port.

"it doesn't block a bunch of ports...including IIS and 445"

Many of those ports you mentioned it actually can block if you go to the last tab in your firewall setup dialog. Uncheck the options like "allow inc

Re:Details:

[RetroGeek]

yes it would work if you can predict those other random ports

Just use a random number generator.

Oh wait.....

Re:Details:

[EndlessNameless]

It listens on those ports. It only infects through 445. Block incoming on that port (which 99.9% of home users can do without problems), and you're safe. For those who actually need that port for https... well, consider linux. :) Although, MS does have a workaround for it.

Re:Details:

[JamesTRexx]

https is on 443, so no problem there...

KB835732

[thebra]

The company that I work at pushed the KB835732 patch out to a few thousand machines. It caused some incompatability issue that cause Windows to blue screen with the error "Winsrv.dll missing or corrupt", its been a blast removing the patch through recovery console, especially walking remote users through it.

Re:KB835732

[Bender Unit 22]

Yes and then people fail to understand why it takes some time to patch up all machines.
At work we do the releases in steps, first the IT dept, then the superusers. And then we take the rest in steps to prevent too much trouble.
But it just not install the patch on 2000 machines as soon it comes out.

A good rule of thumb...

[redwoodtree]

I agree with the original poster. Waiting a week and a half is totally useless is a corporate environment. It's kind of silly to wait a week and half, as everyone is doing this more and more basically you wind up finding all the same problems a week and a half later.

You're assuming that someone out there in the world is going to install, test and have somewhat of a similiar environment to yours. In other words, you're hoping someone else will do the work for you.

I think a better rule of thumb is to have a

Re:KB835732

[JudgeFurious]

Not me man, I wade right into that shit hip deep. My bosses have laid down the law here and insist that I get everyone patched ASAP. I've tried to explain about the balance between being safe and being sure but they don't want to hear any of that so the way I see it "Fuck em".

Now granted I've got closer to 500 machines (But I'd do the same thing if they gave me 2000, or even 20,000) but I still patch every single one of them the moment Microsoft spits it out.

One day, one fine day Microsoft is going t

Re:KB835732

[BlowChunx]

Hmmm...a fix for the fix. Interesting.

How nested can that go?

Hmmm....

[Mz6]

For some reason the poster left out the following, critical, piece of information (oh.. and for those that don't RTFA). This virus uses the exact same flaw as the Sasser virus -- LSASS Buffer Overrun Vulnerability. What's weird is that the infections are still climbing meaning that after almost 2 months (patch released on April 13) and a HUGE rash of infections from Sasser, there are some folks that have still refused to apply the Microsoft patch. As much as I hate to say it, IMHO, they almost deserve it...

For those that have just come out from their rock, here is a removal tool for this latest worm [symantec.com]

And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

Re:Hmmm....

[Ayaress]

If you think that's bad, I recently reformatted a relative's Win2k computer because of a trashed partition. I then connected to the internet to download Zonelarm onto it and run windows update, and it was almost immediately infected with W32Blaster. Getting on a year after the patch came out, and most of a year since the virus made such a mess of things, there's still enough people out there with this virus (and hence, without the patch to protect against it) to make it dangerous to unpatched computers.

Re:Hmmm....

[FattMattP]

I then connected to the internet to download Zonelarm onto it and run windows update, and it was almost immediately infected with W32Blaster.

What made you think putting an unsecured machine on a network unprotected would be a good idea, even to get patches? As you saw, it'll get infected in minutes. Maybe you should put Zonealarm on a CD or a USB memory key and move it over that way.

Re:Hmmm....

[vsprintf]

Not exactly. Any system administrator (which I assume he is -- . . .

Why on earth would you assume that? The guy was helping a relative, not some user at work, reinstall Windows.

He didn't do that, he didn't run a firewall... he didn't take any sensible protection.

If I were visiting my relatives, a thousand miles from my home, and had to reinstall Windows on one of their computers, I'd have to take the chance since there wouldn't be much choice. It would be the same advice you'd get from MS tech sup

Re:Hmmm....

[zoloto]

an even better way to go about it is for when I must reinstall MS OS, I use the "MS Security Update CD (February Edition 2004)" and have a prepared directory I can burn to cdrw with the latest antivirus, antispyware, firewall and software apps (OOo, gaim, mozilla + extensions) and do everything while it's not connected to the internet/intranet.

only AFTER do I connect with IE (setting IE's homepage to http://windowsupdate.microsoft.com) and get the rest. Also setting their computers "automatic update" feat

Not surprising.

[AbyssLeaper]

Let's not forget that most users (which wouldn't be reading /.) don't have any idea about this stuff. This confuse virus scanners with firewall, and think patching is something you do with clothes. So no, they don't really deserve it.

Like it or not, they want their PC to work like their television. As much as you or I don't like it, they are the people that are keeping Windows suppport folks employed.

I can't say how many times I've helped with someone's machine, and they've had multiple virus infections, spyware and general crap on their machine because they don't know any better. It's a fact of life that Microsoft is going to have to own up to if they want to stay on top. They raised the beast, now they need to teach it the rules.

Re:Not surprising.

[Joe Tie.]

If say Linux/OSX was the #1 Joe Consumer OS then it would have virus like this.

OK, would you tell me how an operating system that's not giving the user write priviliages to anything other than their home directory would have the same amount of viruses as one where by default the user has write privliages to everything composing the operating system?

Re:Not surprising.

[Cro Magnon]

And you don't have to run XP or 2k as admin. You can run as a restricted user. You just have to set one up.

The problem is, a lot of Winblows software won't run without admin priviledges. Also, XP doesn't encourage setting up user accounts. Many people don't even know they exist.

Re:Not surprising.

[tdemark]

If say Linux/OSX was the #1 Joe Consumer OS then it would have virus like this.

Ummm.... no.

The output of 'netstat' on a default Mac OS X box:

tcp4 0 0 127.0.0.1.631 *.* LISTEN
tcp4 0 0 127.0.0.1.1033 *.* LISTEN

G'head. Try to remote exploit.

- Tony

Re:Hmmm....

[bigrat]

I work at the tech bench at Best Buy part-time.

Despite the default config of 2k/XP to inform you that updates are available, we've been fixing hundreds of machines infected with Sasser, and even Blaster. Users simply ignore the update warning, or outright refuse to run it. One user mentioned "Why would I need to run that?"

Even Microsoft can't prevent ignorance.

Re:Hmmm....

[Fig, formerly A.C.]

And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

Forgive my ignorance, but shouldn't the lightweight consumer-grade routers (Linksys and such) with NAT be effective as well at blocking this sort of thing?

Re:Hmmm....

[ForestGrump]

Yes, it should be able to block off most worms. This is because of how NAT works. If a remote machine was try connecting on a certain port, and the port is not "port fowarded", then the router will simply dump the data because it doesn't know where to foward it to.

With NAT routers being so inexpensive, I believe that everyone should have one of these. Even if it is simply 1 box connecting to the internet.

-Grump

Re:Hmmm.... Don't count on router stopping worms

[Penguinshit]

Routers won't help with email-borne issues. It will only stop a remote-connect worm from getting through.

Re:Hmmm....

[eln]

You can run windows update and get security patches and any other updates available through that medium on a pirated copy without any trouble at all.

Or, you know, so I've heard.

Re:Hmmm....

[2Flower]

Nope. I have a questionable windows copy -- I won this computer in a legit contest STRAIGHT from Intel itself, and it didn't come with any documentation or keys. When I go to Windows Update, it refuses to work because it thinks I have a pirated key.

Needless to say, isntalling individual hotfixes like these is a PITA.

THANK GOD!

[mythosaz]

Thank goodness you can download critical updates manually regardless of your key. *whew*

Re:Hmmm....

[TheSpoom]

If you can't run Windows Update, it's because you're using a Corporate version of Windows XP with a pirated key usually starting with FCK. Simply change the key you're using using a key changer which... I've... heard... is available on may peer to peer file sharing networks, reboot, and you should be able to update.

Re:Hmmm....

[gb506]

Windows XP Professional Corporate Edition?

What if I have Windows XP unemployed dumbass edition?

The difference between the two versions...

[Ayanami Rei]

(that is, XP Professional Corporate, otherwise known as "Volume Licensed" and XP Professional Dumbass edition) is the product ID string in the i386/setupp.ini file on the CD.

That's the only file that's at all different between both editions. So just copy the CD to the HD, change the line in that file that reads
Pid=XXXXXYYY (where XXXXX is the first five digits, and YYY is the last three) to
PID=XXXXX270 (so we are keeping the first five digits, and changing the last 3 to "270")

Also, make sure to call the V

Re:Hmmm....

[jafiwam]

There was an article on the BBC News web site that Microsoft had confirmed (today) that SP2 would include checks for 20 or so pirated keys.

If the correction came today, mass confusion! If not, they may have just confirmed it.

Re:Hmmm.... Most pirated windows machines...

[stratjakt]

Yes, they do. They prevented SP1 from installing on machines with blacklisted corporate keys, but Windows Update has always worked, and they recently announced that even those installs will be able to install SP2. It was covered on /. too.

The reasoning was it was better than having umpteen zillion unpatched boxes out there DDoS'ing their website.

Advisory

[michaelhood]

Symantec's Advisory [symantec.com]. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.

You know...

[Anonymous Coward]

I wish that, just once, a lot of people will get ripped off. The credit card companies will cover any losses (they have to by law), and people will actually realise that yes, keeping up to date with patches is a good idea.

Re:You know...

[psbrogna]

Cards with a MC/Visa logo only protect you if they're actually a credit card. If they're an ATM you're SOL.

So you do all routine maintenance right?

[Scott Richter]

I wish that, just once, a lot of people will get ripped off. The credit card companies will cover any losses (they have to by law), and people will actually realise that yes, keeping up to date with patches is a good idea.

It's easy for us to say that, we're computer users who (presumably) know what we're doing. But if one is to condemn non-patchers in that way - I assume you also change your oil every 3000 miles, go to the dentist every 6 months, floss daily, get an annual physical, clean the lint filter in your dryer after every load, eat 6 daily servings of vegetables, rotate your tires every 20,000 miles, have all your car's factory recalls done, change the air filters in your heater monthly, and perform all the other mindless routine maintenance you're supposed to do.

The bottom line is, no one on earth outside the most anal retentive person alive does all that stuff. Not doing any of them could have consequences, but people simply don't have time to do all this shit.

So yes, I do blame microsoft. One shouldn't have to constantly check symantec's web page just to keep your computer usable. Computers are appliances now. They should just work, dammit.

Re:So you do all routine maintenance right?

[JWSmythe]

I just posted a similiar rant. :)

You're absolutely right. I have a friend who was completely anal about a lot of things. His car was his favorite toy. He's 30-something now, and has started becoming more lax. He hasn't been rotating his tires, or even taking a good look at them. He was occasionally glancing at the outside edge, seeing the tread looked ok, and assumed all was fine.

A couple weeks ago, on a wet road, he slid off the road, and his car ended up in a lake. Why? Because his alignm

Re:So you do all routine maintenance right?

[skifreak87]

Both of my parents have close to know idea how a computer works. They're computer got the sasser worm or some variant that kept restarting before they could do anything (solution, have a bootable disc to use so as not to boot off the hard-drive). What they didn't understand is that they CAN get viruses/worms by just being on the internet. Next thing, why wasn't their XP up to date, they thought it would cost money to get the updates so they never did (since they couldn't tell windows update notices apart from the mcaffee security center update notices - which do cost money once your subscription runs out) and never thought they could get viruses/worms except through email.

Both my parents are quite intelligent and can work a computer for what they need (word processor/quicken/email/browser) fairly competently. The problem, IMHO, is that computer users view a computer as any other appliance, it should just work, and think if they follow some common-sense (such as not opening strange attachments) they wont have problems. People don't understand why it's important to patch a computer or even how to do it, so they don't.

Re:So you do all routine maintenance right?

[payndz]

rotate your tires every 20,000 miles

I rotate my tyres every single mile I drive. It kind of happens automatically with this whole 'wheel' thing.

Morbo?

[FlipmodePlaya]

Puny humans fear Korgo...

Re:Morbo?

[bennomatic]

Don't blame me, I voted for Kodos!

Re:No, Torgo

[Hecubas]

Hmm, that'd be a fun idea for a virus, have it install the Torgo screensaver. Imagine, a world of PC's churning out the haunting Torgo theme!

Worm vs Virus

[DJ-Dodger]

If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.

Re:Worm vs Virus

[hovis]

It's kinda more complicated than that::

VIRUS: File infector, Self-Replicating A virus will insert it's own code into another _pre-existing_ file. It also replicates automatically every time it's run.

WORM: Self replicating
A worm self-replicates liek a virus, but it does not infect pre-existing files. A worm will create a whole new file that is pure viral code (usually with a spoofed name like iexplorer.exe as opposed to the legit file iexplore.exe)

TROJAN:
A trojan is also it's own file of pure viral code, but does not self-replicate (However, they frequently facilitate remote control of the Trojan that can be used to replicate it)

Symantec has a document on this, the link is... What is the difference between Viruses, Trojans and Worms? [symantec.com]

Why is this .gt. 1 month old update news?

[Flexagon]

Though the listed viruses may be new, the actual update was released over a month ago and those of us here should already know better. This is the kind of "timely" information I get from Comcast support.

As For Me

[Anonymous Coward]

I for one salute our new script kiddie overlords.

Okay, you got me...

[DigitalSorceress]

I read the post and immediately thought "oh gosh, here we go again" and went to MS windows update to update my workstation while I downloaded the patch. Then I realized that I'd already updated everyone here at the office back when the patch first came out.

Damn, I gotta rtfa *grin*

Seriously though, even though I check for new updates religously and try to keep all the users on my network up to date, I guess I'm still a little gun-shy.

Hey! How come the Microsoft Site

[Anonymous Coward]

is not slashdotted? They are running Windows Server 2003 with IIS and everyone here knows that is bad...

updating

[millahtime]

Since only legal users of XP can install the updates, does this mean that all those people using illegal copies can't get the update?

Figuring so, a lot of people could get screwed.

Re:updating

[RTMFD]

Damn, so if I go rip off my neighbor's Pontiac should I be pissed off when the steering column catches on fire because I couldn't take it back to the dealer during the recall? This issue looks like a common sense to me.

Committing theft takes away your right to be upset about such things, IMHO.

Not Exactly...

[mexnix]

F-Secure Weblog [f-secure.com] says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...

I take care of the place while the master is away

[abertoll]

When I first saw this I thought I read a virus named Torgo! It wobbles around, moves slowly, and takes care of your computer while you're away.

Keystrokes: transmitted in the clear?

[G4from128k]

Are the logged keystrokes of most of these viruses transmitted in the clear? If so, then couldn't one create a outbound traffic monitor that watched for certain key character strings (such as passwords, account numbers, etc.) and if the monitor see sensitive data strings in clear text, it would halt the transmission and alert the owner. This could also be used to halt snooping of files and directory structures -- just create a file with a monitor-prohibitted file name and contents.

As a side benefit, the system would also catch insecure site logins - seeing which websites are asking for unencrypted sensitive data such as passwords.

Securing a password detector

[G4from128k]

So what you're proposing, and please, correct me if I am mistaken, is that one should gather all one's sensitive pieces of data: credit card numbers, passwords, and the like, and compile them all into a plaintext set of firewall or IDS rules? Where would one store this treasure trove of sensitive information, conveniently gathered into one place for ease of use? Perhaps I have missed a critical component of your plan, which I'm sure isn't nearly as patently insane as it sounds.

Your point is a very good o

Easy fix

[staticdaze]

Just cache all your passwords and credit card info in your browser's form remembering thing.

Remember Passwords

[picklepuss]

Thank God I trust Internet Explorer enough to remember my bank password for me... now I don't have to worry about viruses that log my keystrokes!

Gee

[the_mad_poster]

Good thing I'm not dumb enough to type anything important of my own on a Windows box. I guess if I'm infected at work, they'll get the company's code, and if I'm infected at home, they'll found out that I like to cast "Magic Missile" in conjunction with "Flamestrike" when facing strong magic users to disrupt their concentration then hit them with a heavy blast while my warriors move in for the kill.

I'm sure that latter piece is exceptionally valuable information...

Finally name that can spread some fear!

[smcavoy]

Korgo sounds so much better then sasser.
Not quite fear-of-god inducing, but whatever.

Off-topic punctuation nitpick

[kelzer]

The virus named, Korgo, started showing up . . .

A panda walks into a café. He orders a sandwich, eats it, then draws a gun and fires two shots in the air.

"Why?" asks the confused waiter, as the panda makes towards the exit. The panda produces a badly punctuated wildlife manual and tosses it over his shoulder.

"I'm a panda," he says, at the door. "Look it up."

The waiter turns to the relevant entry and, sure enough, finds an explanation.

"Panda. Large black-and-white bear-like mammal, native to China. Eats, shoots and leaves."

I highly recommend that the submitter (Anonymous User) immediately head over to his/her favorite online book retailer and purchase Eats, Shoots and Leaves [eatsshootsandleaves.com].

Re: Off-topic punctuation nitpick

[gidds]

Some of us do care. Some of us find some posts annoyingly hard to understand, due to bad grammar, spelling, &c.

(Some of us would have properly capitalised 'English', too...)

computer maintenance

[bob_jenkins]

Most people who have computers use them as one tool among many. They don't have to maintain their phone weekly or even monthly, or their hammers, or their sofas. Smoke alarms are supposed to be tested once a month, but who does that?

I have a lot of relatives who used to use computers but have mostly given up on them. What with spam, and viruses, and worms, and trojans, and spyware, I can't blame them. Unless they give you a whole lot in return, they're not worth the hassle.

short lived?

[abertoll]

"The keys are then sent back to the virus creator"

I've always wondered about this sort of thing... doesn't that make the creator pretty easy to catch?

Maybe Microsoft should hire the virus writers.

[rspress]

They seem to code better and faster than Microsofts own people. Plus they know something about security, which seems to be lacking in Redmond.

If SP2 does not fix these holes like Microsoft claims it will then they should be libel for the money that business lose due to badly written software. Microsoft needs to change the way it updates its software. Instead of releasing a service pack and charging for it when it does come out they should step to releases every month or two, like the way OS X does.

As a matter of fact Microsoft seems to be in the same state Apple was in before Jobs came back. Lost and clueless developing products that they were not good at and had a directionless system software development. This far into WindowsXP MS should have had nearly all of the framework for longhorn laid out and most of the coding done, yet we hear of announced features being dropped because it won't meet their deadline which is two years off. Something is wrong in Redmond and now is the time for Linux and OS X take advantage of it, if they don't do it now they may not have another chance. Unless of course longhorn is the worst mistake they have ever made.

"Windows Users Fear Korgo Virus"

[bfg9000]

"Windows Users Fear Korgo Virus" screams the headline, reading not so much like news as just another WindowsXP sales pitch. Yes, it's true -- Windows users DO fear the Korgo virus, while the insignificant and ostracized Mac and Linux users of the world are left, yet again, fearing only the sheer and utter BOREDOM of not having any viruses or trojans to fix due to their curious choice of OS. In the area of viruses, trojans, and worms, Linux and the Mac really do stand out as being "second class citizens", trapped in a virus-free ghetto with no salvation in sight. The discrepancy is so obvious, the ultra-competitive Microsoft doesn't even feel the need to buy themselves an Official Gartner Group Research Study to prove that Windows is light-years ahead in this area. Even the most staunch Linux or Mac advocate is forced to admit it -- off the record, of course. Virus writers, known to be excellent coders who take pride in their tight, bugfree code, have overwhelmingly standardized on Microsoft Windows as their targeted system of choice in the deployment of their ongoing suite of virus applications.

And it doesn't look like the situation is going to get better any time soon.

One bearded Linux coder, who refused to be identified publicly, confessed "we just don't have the selection -- or quality -- of viruses on our platform that is available to Windows users free of charge. And it's tearing us up inside knowing that the battle is over, and Microsoft has clearly won." Similarly, a guy with an Apple logo shaved into the back of his head admitted the following once we turned off the cameras. "I don't mean to break ranks and insult our software selection," he whispered furtively, "but usually if we DO manage to get a virus that will even install on OS X, it's not that great, and we're left... disappointed, realizing that if we had simply stuck with the unwashed smelly masses, we too could be enjoying a daily barrage of free software delighting us by installing itself on our computers as a surprise gift. Instead, I'm stuck with the weak consolation prize of 40 Academy Awards for my work on Lord Of The Rings. But it's not the same. No amount of awards or million dollar paycheques can heal the feelings of neglect or massive abandonment issues this whole thing has given me."

"Is this the reason so many people choose Windows?", his innocent young son, Moof, asked me, looking like the kid off the Dave software box. [thursby.com]

"What do you think, little one? Look at the Windows dominance in the virus field, then look at the marketshare of Windows. That ain't no coincidence, Moof. The other guys just can't keep up with the Microsoft Juggernaut. Microsoft is fighting hard to keep themselves Number One, just like the Titanic was the biggest and bestest ship, or the Hindenberg was the coolest and most flammable Zeppelin, or the dinosaurs were the toughest animals ever. How do you compete with that?"

=============

Yes, sitting here at my desk 16 hours later, WindowsXP Restore Disks in hand, I can't help but let a little smile shine across my face. Those poor fools, I think, using a non-Microsoft OS really does take away most of the joy of computing and replaces it with all that productivity and recreation crap. And where's the challenge in that?

Please insert Microsoft Windows XP Restore Disk 2

Ahhh, I sigh contentedly. It's gonna be a long night.

Re:Sent back to creator?

[metrazol]

...you're new here, aren't you?

"Sent back to the creator" means data is dumped into an IRC channel, newsgroup, or possibly some zombied machine. There's little way to track the person behind the bot, so to speak.

Of course, a little way is all it takes to pinch some angsty German teenager...

Re:Sent back to creator?

[Mad Bad Rabbit]

OK, since that channel is gonna get flooded anyway, use
modified backend code from the virus to flood the channel
with junk data.

Or better yet, spike it with legitimate-looking data that
will help catch the originator (root passwords for honeypit
machines, special "arrest this customer" CC numbers, etc.)

Re:Sent back to creator?

[Mz6]

My guess is that is just an easy way to explain that the creator has some way of retrieving the information once sent from the infected system. In some of the worm documents, it says that it connects to multiple IRC servers and unknown channels. That could be the possible dump for information or more for controlling once infected.

Re:Sent back to creator?

[.com b4 .storm]

I haven't looked at the details of the virus, but there are many ways these results could be "sent back." They could be posted to some anonymous FTP, or free hosting on <insert crappy free home page site here>. Or maybe the info could be injected into Freenet or some P2P network. Hell, the stuff could just be e-mailed to some random free e-mail accounts to - set up a bunch of bogus Yahoo, Hotmail, and Hushmail accounts, and have the data sent to all of them. Odds are you'd end up getting at least SOME

Re:Older versions

[devphaeton]

When that happens I hope Linux game support (including Windows emulation) is much further along.

Yeah, but why would you want to play a game that acts like the Windows Operating System game? :-D

Re:Older versions

[Fig, formerly A.C.]

98 isn't vulnerable to this (or most or the other nasties from the past year), so why would you need support for it?

Security through obscurity!!!.... Or at least old age...

Re:Older versions

[Teun]

If you aquired it for free from an OEM, it isn't legal.

This might be true in some obscure legal system where companies think they can write their own laws.

In Europe it is generally accepted that once you bought it it is legally yours and you can do with it as you please. (like re-selling)

You own the right to run 1 copy of software product X and that is it.

There is no significant difference between the OEM or the full retail versions of the product so the differentiation Microsoft makes lives entirely in their own fantasie.

The GPL is a different matter as it *does* fit in an existing legal framework

Re:Older versions

[pizza_milkshake]

Too bad they will eventually stop supporting it

yes, it's a shame, very few virus writers are supporting win98. please upgrade to win xp for the latest viruses. ;-D

Re:Darwinism

[Ayaress]

Sadly, that's not the bottom 5% of the userbase. In the last three months, I've had to fix six home user computers and one that was used to track the finances of a church. Four of the home computers had never had Windows Update run (and both of the other two had only been force-fed updates through manufacturer-installed support software), and the Church computer was still vulnerable to the Blaster worm (Thankfully the thing wasn't connected to the Internet)

Re:Darwinism

[Amiga Lover]

This is hardly the bottom 5% of the internet. Most regular Joe Users that I've talked to don't even realize they have to update their machines. So there are probably a lot of people that don't even have the Blaster patch...

How can people NOT know. God, they click "yes" on enough spyware/malware/whatever email crap, but when windows update comes up to tell them there's a new patch for a bad virus, they're clicking no?

Are people really this daft?

Re:Darwinism

[GoofyBoy]

>Are people really this daft?

Yes. Welcome to reality, enjoy your stay.

Re:Darwinism

[FattMattP]

How can people NOT know. God, they click "yes" on enough spyware/malware/whatever email crap, but when windows update comes up to tell them there's a new patch for a bad virus, they're clicking no? Are people really this daft?

Maybe Microsoft should look at this as a marketing problem. They should make all of their critial patches downloadable via banner ads:

Click the monkey and get a $1000 worth of security patches!

[banner blinking very fast and moving around]
You're a winner! Click here to collect your prize!

You're broadcasting an IP address! Click here for the fix!

Then the people who won't install patches will get them anyway.

Re:Darwinism

[JWSmythe]

Have you checked for recalls on your car, toaster, or microwave oven?

If your toaster had a recall on it, and for whatever reason caught fire in the middle of the night and burnt your house down, you'd be suing the manufacturer. Well, if you didn't, your insurance company would. They don't like giving away money, they like to get it back from somewhere else.

What's different in a product which simply exists in a larger product? Would you be checking for recalls on the radio in your car? Probably

Re:Another?

[goldspider]

"You would think after the last 150 they would learn to secure their systems."

The patch is six weeks old. At what point does it cease to be Microsoft's problem and become the PC owner's?

It is not Microsoft's responsibility to make sure you have installed the latest patches and are exercising proper precautions.

Re:Another?

[gl4ss]

on 99% of users there's no reason for the ports to be open and having services on them ripe for exploitation.

actually, if they advertise it as idiot proof and secure(even for idiots) it kind of becomes their problem.

Re:Another?

[The Ape With No Name]

It is not Microsoft's responsibility to make sure you have installed the latest patches and are exercising proper precautions.

This is a red herring. It is their responsibility to manufacture a product that, if used by an average person, can be maintained by an average person. There is absolutely nothing intuitve about the Windows patching regimen. If they simply pulled themselves out of the cave on this one issue, many /. people (esp folks who work in frontline tech support) would ease up on M$.

Re:I'm tired of this

[Frizzle Fry]

Every freaking day, an update

Except of course that the update for this came out almost two months ago.

Re:Does Windows Update handle hotfixes?

[mcmonkey]

Yet whenever I go to Windows Update, I see 0 critical updates (Win2K). Am I really up to date?

The security update for this issue is a month old even though this particular exploit is just hitting the news. If you're not sure, windows update has "View installation history."

Look for "Security Update for Windows XP (KB835732)"

Re:Does Windows Update handle hotfixes?

[DeepRedux]

Look in the Add/Remove Programs applet in the control panel. If this patch is installed you should see "Windows 2000 Hotfix - KB835732" listed as an installed program.