What's New

High Profile

Netbus
Back Orifice
SubSeven
 Email Attachment hole

Teardrop2

Win 2000 Services Packs

NT Service Packs

Windows 95 Fixes
Patches, Fixes and Security Info
(updated 4/24/01)
This page is dedicated to information on security as well as fixing and Patching Windows NT, Windows 98 and Windows 95.
All information contained herein is as up to date as we can maintain it. I have started to include the date that either the security hole was found or the patch was generated.

It is important to keep your computer up to date with the latest patches and Bug fixes. Due to the nature of our jobs, we will do some of the hard work for you - Helping you keep current. On this page you will find information about what is available to patch your computer. Since there is a good chance that your computer is attached directly to the internet, you will want to keep up on the latest information that is out there. If you have specific questions feel free to email Network and we will try to answer your questions. Or if you know of a topic that should be covered here and is not, please let us know. 

What's New

Windows Shared directory Hole - (10/2001)This security vulnerability effects Windows 95/98/ and ME when file and print sharing is used. This hole allows a malicious user to access a password protected share without knowing the password. The password can be revealed to the hacker. There is a patch and it can be found on \\Axis\distribution. Win 95. Win98. Win ME

For more information see Microsoft's site: http://www.microsoft.com/technet/security/bulletin/fq00-072.asp

Verisign Certificate Problem - Verisign (an Internet Certificate issuing body) released two certificates to someone posing as Microsoft. The result is these certificates will appear to be signed by Microsoft allowing someone to pose as Microsoft and install something on your computer. It might be trusted because of the name "Microsoft" associated with the certificate. Verisign has revoked these Certificates however an end user may not know this and accept the certificate as genuine. Microsoft has released a patch but you should also be aware the dates of these Certificates - January 29th and 30th, 2001.

For more information see Microsoft's site: http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

Malformed E-mail Header - There has been a very serious security hole found in M.S. Outlook and Outlook Express that allows a  hacker to either crash your computer or execute malicious code. The code does not have to exist on your computer and can reside on some other computer on the internet. This is a VERY serious security hole. All you need to do is start M.S. Outlook and download the mail message with this virus for it to take affect. You need not open it to have it infect your computer. Be aware that news of this will spread very quickly through the hacker community making it more of a threat.

This hole effects outlook users who have their clients configured for either Pop3 or Imap4 (This is most likely what you have your Outlook configured for since it is what is used at MHC).

Software Affected by this security hole:

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 97
  • Microsoft Outlook 98
  • Microsoft Outlook 2000

For more information Please see Microsoft's web site. It can be found at:

http://www.microsoft.com/technet/security/bulletin/MS00-043.asp

For MHC users I have put a copy of the patch on \\Axis\distribution within the \networking\MS_Outlook_5_patch directory. Outlook 4.0 users should go to Microsoft's site to obtain the fix.

If you have recently updated to Internet Explorer 5.5 on any platform other than Windows 2000, you are not affected by this security hole. If you have Windows 2000 you must apply this patch.

 

Service Pack 6a - The latest in Service Pack releases from Microsoft. It fixes many security related issues, some of which are very important. There are a few things to consider. 6a was released shortly after SP6. If you already have SP6 then you should run the SP6a update. If you are at an early SP then you should install SP6a directly. The following Versions exist:

SP6 40 bit encryption
SP6 128bit encryption
SP6a update (use this one if you have 6 installed)
SP6a 128bit complete

A note about encryption: Microsoft offers two versions of their Service Pack, one with 40 bit encryption and one with 128 bit encryption. The 40 bit encrypted version is one that can be put on any computer and is internationally legal(?) - meaning that computer can leave the United States. The 128 bit version can only be installed on a computer that will remain in the United States or Canada. This is due to US Export Encryption laws. The 40 bit encrypted version you can get here while selecting the 128 bit version will send you to another site (Microsoft) that will ask you to sign an agreement verifying that you reside in the US or Canada.
 

Service Pack 6 - 40 bit encrypted version.
Service Pack 6 - 128 bit encrypted version.
Internet Explorer Security Update  - (9/30/99) There is a error in the way ActiveX controls were done that could allow someone to add files to your computer. This file fixes that hole.

Get it here - q241361.exe

 

High Profile


Netbus - Netbus is a "backdoor" into your computer system. A backdoor that you most likely didn't even know you left unlocked. It allows someone else to do things on your computer without you having any say in the matter.

Note: There is a new version of Netbus out (2.0). We'll list more when we find out more about it.

What can it do?
How do you know if it is installed on your computer?
How did it get there?
How do I get rid of it?

What can it do? If Netbus is installed on your computer a hacker can do the following on your computer:

     Open/Close CD-ROM.
     Show optional BMP/JPG image.
     Swap mouse buttons.
     Start optional application.
     Play a wav file.
     Control mouse.
     Show different kind's of messages.
     Shut down Windows.
     Download optional file. 
     Go to an optional URL.
     Send keystrokes.
     Listen for and send keystrokes (They could get your MHC password and do even more damage).
     Take a screen dump.
     Increase and decrease the sound-volume.
     Record sounds from the microphone.
     Upload optional file.
     Make click sounds every time a key is pressed.

As you can see a pretty dangerous program.

How do you know if it is installed on your computer? If start to notice odd things happening, such as dialog boxes popping up on your screen. You may have been "hit". Or if you have noticed strange things such as listed above. You can telnet to your own computer at port 12345 or 12346 and see if your computer replies. You would do this by typing: 

telnet 138.110.xxx.xxx 12345

Put your actual IP in place of the xxx.xxx (run winipcfg.exe to find out if your not sure what your IP number is.)

How did it get there? It is possible to install Netbus in the background while installing a completely different program. For Example: You've just downloaded a new screen saver from the internet. You run the install program that came with it and Netbus was hidden in it. This doesn't mean that you shouldn't download software from the Internet or that all software is affected but it does mean that you should be careful.

How do I get rid of it? That depends on what version is installed. (The following is take directly from the people who wrote it.)

NetBus 1.5x removal:

    Find out the name of the NetBus-server (which is most often SysEdit.exe). Go to the tasklist and kill any suspicious process. After each kill, try connecting to port 12345 (telnet localhost 12345), and the moment you can't do that anymore you have found the NetBus-server.

    Most often the NetBus-server starts every time your system (Windows) starts. Of course you can just delete the NetBus-server from your HD, but then you will get a irritating Windows-message at startup telling you that the program not could be started.

    So, before deleting NetBus-server from your HD you either delete the registry-key
    \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Name of
    NetBus-server] or just run "NetBus_server_name /remove" which will do the same thing. Finally, restart the computer.

    The NetBus-server also consists of the KeyHook.dll file, which you probably find in the same directory (the DLL isn't able to do anything on its own). If you don't find it, someone has forgotten that it's necessary for some of the features to work properly (for example the Listen-function).
     

NetBus 1.6 and 1.7 removal:
    Find out the name of the NetBus-server (which is most often Patch.exe). Run RegEdit.exe and lookup the registry-key:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. 
    From that key you should be able to sort out the NetBus server program (again, most often Patch) from others.

    When you've found the suspicious entry, do a file-search for "[Name of the NetBus-server].exe" on your system. Finally run "[Name of NetBus-server].exe /remove". If you've run the NetBus server you should see that it just starts and ends quickly without any user-interaction. That's just fine.

    An easier approach, could be to use the NetBus-client (NetBus.exe) yourself, connect to localhost, choose "Server admin" and click on the "Remove server" button.
     

Back Orifice - Back Orifice or BO is a  program that is a backdoor designed to run on a Windows 95/98 client targeting Windows NT. I allows anyone who know the port it is listening on, to control that host.
 

What can it do?
How do you know if it is installed on your computer?
How did it get there?
How do I get rid of it?

What can it do? With BO installed on your computer is can do the following:

Execute commands.
List files.
Start or stop services (silently).
Share directories.
Upload files.
Download files.
Edit the registry.
List and kill processes.
How do you know if its installed on your computer? While Netbus uses a default port, with BO you can dictate the port which makes it harder to detect. It defaults to UDP port 31337. It never will hurt you just to check to see if it is installed but if you start to experience  strange things happening, then you should be suspicious. A better Hacker will keep things as "quiet" as possible to avoid suspicion.
It will install a program called " .exe" (space.exe)into your Windows System directory (usually c:\winnt\system).

It will create a registry key in: HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\RunServiceswith the file name of the "server file name" and a description field of either "(Default)" or a user specified description. The size of the file it will list will be approximately 124,928 bytes.

It will start listening on a port (usually UDP port 31337).

Use the netstat program that comes with Windows to list what ports are listening on your computer. For example: c:\netstat -an | find "UDP" .

How did it get there? Like netbus it had to be installed. But with BO it has to be installed by a member of the Administrators Group. This makes it a bit harder for it to get on your computer but still not impossible. It also can be installed along with some other program without you being aware of it at all. Once again, you should be careful.

How do I get rid of it? BO can be removed by removing the program and deleting the registry key. But that may not be enough. You may not know what other damage may have been done. Unfortunately the best solution is to reformat and start over.

SubSeven - Subseven is nasty trojan that makes Netbus look like a walk in the park. It also seems to be consistently updated, adding more and more "Features" each time. The fact that is also highly configurable, makes it even more dangerous

What can it do?
How do you know if it is installed on your computer?
How did it get there?
How do I get rid of it?

What can it do? Subseven's list of "features" is long. VERY LONG. Here is a partial list:

Remote IP scanner
Host lookup
Get Windows CD-KEY
Update victim from URL
ICQ takeover
Retrieve dial-up passwords along with phone numbers and usernames
Port redirect
IRC bot
Make folder, delete folder [empty or full]
Clipboard manager [EDIT SERVER CHANGES]
Pick random port on server startup
Restart server
AOL Instant messenger spy
Yahoo messenger spy
Microsoft messenger spy
Retrieve list of ICQ usernames and passwords
Retrieve list of AIM users and passwords
App redirect
Edit file
Perform clicks on victim’s desktop
Set/change screen saver settings [Scrolling Marquee]
Restart Windows
Ping server
IP Tool [Resolve Host names/Ping IP addresses]
Get victim’s home info
Automatically Display Image when downloaded [jpg, bmp]
Open Web Browser to specified location
Restart Windows [5 methods]:
Normal shutdown
Forced Windows shutdown
Log off Windows user
Shutdown Windows and turn off computer
Reboot System
Reverse/restore Mouse buttons
Hide/Show Mouse Pointer
Control Mouse

How do you know if its installed on your computer? By default it will listen on port 27374 on your computer, but be aware that this is very easy to change. If you find strange things happening on your computer (such as the list above), then look for the following.

By default it will add the following "keys" will be added:

"shell=" in SYSTEM.INI
"load=" or "run=" in WIN.INI
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"

How did it get there? It can be installed by a number of different ways. Running a program given to you via ICQ, or viewing a Shockwave Video movie. Or perhaps by an email attachment. REMEMBER! If you don't know the source of the message, don't open it.

How do I get rid of it? The best way is to follow these steps:

delete the executable file.
remove and change the registry startup entries.
Correct the changed settings win.ini and system.ini file.
Reboot.

 

Email Attachment Security Hole

There have been several email attachment virus's that have hit. What use to be only a hoax, is now a very real worry. In the past there have been several email Hoax virus's such as the Good Times Virus. People where warned not to open the email message if they received it or their hard drives would be erased. This type of virus was only a hoax and there continues to be alot of these types of email messages out there. It has always been possible to receive a virus or destructive program as an attachment, and the general rule of thumb was, if you don't know who sent it, don't open it. This latest discovery which causes a "buffer overflow" in the mail client, effects both Microsoft's Outlook 98 as well as Netscape. The scary part, is that you don't even have to open the attachment in order for the "virus" to do damage. 

It's important to note that if you use pine (by telneting to Mount Holyoke) you will not be effected by this "bug"

Update: Sept 1998. On mhc.mtholyoke.edu, the sendmail version we are now running protects email from this problem. News articles remain vulnerable, but email is not. 

Microsoft's fix can be found here:  Outpatch.exe


Teardrop2 - This modification of the original Teardrop attack works by sending pairs of IP fragments to a computer running Windows 95 or NT. These fragments will cause the computer to go into a "state of panic" and will cause the machine to malfunction. On an NT box you would get a: 
"STOP 0x0000000A or 0x00000019. ntoskrnl!KeBugCheckEx+0x1be

Which is better known as the Blue Screen of Death. Note: this fix is a post SP3 hot fix and if you plan on installing it, read through the section titled Windows NT Service Packs first. 

A Windows 95 box will General Protection Fault and the O.S. will crash. 

This recent attack gained popularity when a group of "Hackers" used it to to attempt an Internet wide attack on many Microsoft O.S. based computers. This was an attempt to protest Bill Gates and recent Government issues. 
 

For more information, please check out Microsoft's Security Bulletin on the mater or Knowledge base Article Q179129

    The fix: 
      NT - add the latest Service Pack to NT (SP6a).

      Win98 - not affected.

      Win95 - Apply the following patch: 

         
Windows 2000 Service Packs- This is the only service pack for Windows 2000 to be released to date. If you are planning to download it, be aware that it is over 80 megs.

SP1 -Windows 2000 SP1

Windows NT Service packs - These are fixes to the operating system that are released every now and then when a new "bug" is found. With Windows NT 4.0 there have been 6 (7 if you count 7a as a new one). These upgrades will contain all previous upgrades and so if you install Service pack 3, you don't need to install Service pack 1 or 2 and so forth.

Between Service packs, there are often bugs found and so Microsoft will release what are called Post SP# hot fixes. These generally will be incorporated into the next Service pack but until it's release, the hot fixes are made available.

Below you will find a few of M.S. fixes as well as Service Pack 3. To get the full list you should go to Microsoft's FTP server. You should also be aware that they should be installed in the order that they were released by.

    Windows NT 4.0 Service pack 3
     

Windows 95 fixes

Windows 95 was first released way back in August of (of course) 1995. In December of 95 Microsoft released the first and only public Service pack release. This service pack, or OSR1 (or Win95A), fixed several holes discovered in the operating system. A year later (Sept. 96) Microsoft released OSR2 (or Win95B), but only to Computer re-sellers. Then once again, only to resellers, OSR3 (Win95C) was released. Each one of these upgrades added more and more driver support as well as bug fixes. 

OSR1 fixes many holes discovered in the original Windows 95 operating system. To learn exactly what it does check out this page

 To determine which version you have: 

    There are three versions to Windows 95, the original release, version A and B. The way to tell which version you are using is displayed in your Control Panel System's, General Tab. It will have the version number under "System:" 

        System: Microsoft Windows 95 4.00.950 * 

    The * will either be a letter A (the original version of Win95 with Service Pack 1 installed, or OSR1), a B (OSR2), a C (OSR3), or nothing (the original version of Win95).

 If you have the original version of Windows 95 you should apply OSR1. 
    Get it - Windows 95 OSR1
Kernel Update -  Soon after Microsoft released OSR1, they found a memory leak in the Windows Socket API. Over time, using applications that use multiple sockets would claim memory that was no longer in use. This includes such programs as Netscape and Telnet programs. To fix this problem, Microsoft released a patch called a Kernel Update. Apply this, only if you have the original or A versions of 95.


Password Fix - Another problem that Microsoft found after releasing OSR1, was in their password caching. It was discovered that it was possible to get corrupt passwords through within Windows 95. While caching your password is NOT a good idea and should be turned off. If you are going to use it, the following patch may help. (Note: I have not found this patch to work 100% of the time). Apply this, only if you have the original or A versions of 95.
 

 

This page is written and maintained by Kevin Slate