Installing Legit Win2000 Pro SP4, but getting 2 Trojans every time.

[Jason Doucette]

I have a legit copy of Win2000 Pro SP4, and a legit key. Both times I've
installed it, I noticed strange behaviour -- a "26e.tmp" program running
that refuses to shut itself down, and Windows Update not working after a few
updates. Both times I found the SAME Trojans on the system:

- Win32:Ranky-FZ (a backdoor Trojan that allows people to use your machine
as a proxy server)
- Win32:IrcBot-BDG (another backdoor)

How are these getting installed? I don't visit any webpages except for
Windows Update. The system is connected to the Internet. The Messenger
service is running by default, which gets spam (I shut that off with GRC's
"Shoot The Messenger" application), but I don't think this is a security
issue.

I thought perhaps this flaw is allowing them to get in:
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

How can I install Win2000 Pro SP4, and all security updates without getting
bit in the meantime?

 

[John John]

I have a legit copy of Win2000 Pro SP4, and a legit key. Both times I've
installed it, I noticed strange behaviour -- a "26e.tmp" program running
that refuses to shut itself down, and Windows Update not working after a few
updates. Both times I found the SAME Trojans on the system:

- Win32:Ranky-FZ (a backdoor Trojan that allows people to use your machine
as a proxy server)
- Win32:IrcBot-BDG (another backdoor)

How are these getting installed? I don't visit any webpages except for
Windows Update. The system is connected to the Internet. The Messenger
service is running by default, which gets spam (I shut that off with GRC's
"Shoot The Messenger" application), but I don't think this is a security
issue.

I thought perhaps this flaw is allowing them to get in:
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

How can I install Win2000 Pro SP4, and all security updates without getting
bit in the meantime?

DO NOT connect the unpatched computer to the internet without a properly
configured firewall! As installed Windows 2000 is EXTREMELY vulnerable
to worms and virus if not properly protected. In addition, install
these *before* connecting to the internet:

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Windows 2000 Update Rollup 1 for Service Pack 4
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.mspx

John

 

[Craig Roberts]

Can an ordinary home router with network address translation (NAT) provide
substitute for a firewall?

Thanks.

Craig

 

[John John]

Yes it should, consult the documentation that came with the router.

John

 

[Jason Doucette]

John,

Thanks for your great reply. Before reading it, I had tried installing the
following before connecting to the internet:

Security Update for Windows 2000 (KB899588) (MS05-039)
Security Update for Windows 2000 (KB921883) (MS06-040)

This STOPPED the two Trojans I mentioned. However, another one got in,
Win32 SdBot-gen44

DO NOT connect the unpatched computer to the internet without a properly
configured firewall! As installed Windows 2000 is EXTREMELY vulnerable
to worms and virus if not properly protected. In addition, install these
*before* connecting to the internet:

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Windows 2000 Update Rollup 1 for Service Pack 4
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.mspx

Ok, I will install all of these the next time I try. But... how do I
install a properly configured firewall? Do I need a 3rd party app for this
(I assume Win2000 doesn't have the Windows firewall that WinXP does)? Can I
use a router for this?

I've read that Win2000 has a lot of open 'holes' by default, that admins
should close. Is there anything I should do to Win2000 in terms of changing
settings immediately after (or during) install? I don't know how to answer
the question regarding my network during install. I say I'm connected to a
LAN, but does this open up anything that should be closed? As you can see,
I have absolutely no experience with Win2000...

Your help is greatly appreciated! Thanks for your time,

 

[Jason Doucette]

Alan,

Install behind a router.

Because this acts as a firewall?

Are you sure the cd is legit?

99.9% sure. It was a copy of a legit Win2000 Pro SP4 golden colored CD. I
seen the original as the copy was handed to me, immediately after my friend
burned it from the original. I didn't witness the burn, so I can't be 100%
certain.

You don't need any 3rd party application to stop a Service.

Right-click on Taskbar, select Properties, select Advanced, select
"Display
Administrative Tools" and "Expand Control Panel".

Now for any Service such as Messenger just goto
Start/Settings/Control Panel/Administrative Tools/Services to stop a
service and mark it as Disabled.

Ok, thanks. "Shoot the Messenger" is just very convenient, and easy to use.
It's a quick way to check, and modify, that particular setting.

Just be sure you check that there are not any services that depend
on the service you are stopping.

I don't think the messenger service is insecure -- it's just annoying. I
just shut it off, anyway, just in case. That's the only service I was
interested in stopping.

 

[John John]

John,

Thanks for your great reply. Before reading it, I had tried installing the
following before connecting to the internet:

Security Update for Windows 2000 (KB899588) (MS05-039)
Security Update for Windows 2000 (KB921883) (MS06-040)

This STOPPED the two Trojans I mentioned. However, another one got in,
Win32 SdBot-gen44




Ok, I will install all of these the next time I try. But... how do I
install a properly configured firewall? Do I need a 3rd party app for this
(I assume Win2000 doesn't have the Windows firewall that WinXP does)? Can I
use a router for this?

I've read that Win2000 has a lot of open 'holes' by default, that admins
should close. Is there anything I should do to Win2000 in terms of changing
settings immediately after (or during) install? I don't know how to answer
the question regarding my network during install. I say I'm connected to a
LAN, but does this open up anything that should be closed? As you can see,
I have absolutely no experience with Win2000...

Your help is greatly appreciated! Thanks for your time,

If you have a firewall and the above mentioned patches + SP4 your
installation will be safe enough to make it to the Windows Update site
where you can download and install security updates for your
installation. With regards to security vulnerabilities Windows 2000 is
still beings supported by Microsoft and security updates are still being
published for it, that will be so until about 2010. Windows 2000 is no
less secure than Windows XP, except that XP has a built in software
firewall. For all it's worth, I personally am not overly impressed with
the built in XP firewall and always replace it.

Windows 2000 ships with Internet Explorer 5, you should upgrade it to IE
6 SP1. A router can serve as a firewall, consult the documentation that
came with it. A software or personal firewall can also be used if you
have no router. Even if you have a router, a software firewall is still
a good thing to have, it will alert you if something on your computer is
trying to connect to the internet. There are several free personal
available, just do a search and you will find something that suits you.
Personally I like an older version of Kerio (now Sunbelt). Version
2.1.5 has a small footprint and works well with older Windows versions,
you can download it here:
http://www.sunbelt-software.com/ihs/alex/keriopf215.zip

As for the LAN question when you install, are you on a LAN? If not
disable File and Printer Sharing.

John

 

[Jason Doucette]

John,

If you have a firewall and the above mentioned patches + SP4 your
installation will be safe enough to make it to the Windows Update site
where you can download and install security updates for your
installation.

Ok, so I will install the patches you mentioned, and the firewall that you
recommend, and give it a shot.

With regards to security vulnerabilities Windows 2000 is
still beings supported by Microsoft and security updates are still being
published for it, that will be so until about 2010. Windows 2000 is no
less secure than Windows XP, except that XP has a built in software
firewall. For all it's worth, I personally am not overly impressed with
the built in XP firewall and always replace it.
Ok.


Windows 2000 ships with Internet Explorer 5, you should upgrade it to IE
6 SP1.

Yes, that was one of the first things I did. In fact, Windows Update
doesn't work with IE5, so I have to.

A router can serve as a firewall, consult the documentation that
came with it. A software or personal firewall can also be used if you
have no router. Even if you have a router, a software firewall is still a
good thing to have, it will alert you if something on your computer is
trying to connect to the internet. There are several free personal
available, just do a search and you will find something that suits you.
Personally I like an older version of Kerio (now Sunbelt). Version 2.1.5
has a small footprint and works well with older Windows versions, you can
download it here: http://www.sunbelt-software.com/ihs/alex/keriopf215.zip

I don't have a router, just a hub. I don't care about the size of the
footprint. Do you think that the latest version of Kerio / Sunbelt would be
more secure?

As for the LAN question when you install, are you on a LAN? If not
disable File and Printer Sharing.

I am connected through a hub to the Internet. So, when it asks for how I am
connected to the Internet, what should I answer? I have no reason for File
or Printer Sharing, so I will disable these, as well.


Thanks for all your help, John. It is greatly appreciated.

 

[Jason Doucette]

Alan,

Thanks for the detailed information. I am not concerned with what services
are running. I have a few machines that I will be installing Win2000 on, so
I just want to do the quickest (secure) install. I only disabled the
messenger service because of its annoyance.

Thanks for your time,

 

[John John]

John,




Ok, so I will install the patches you mentioned, and the firewall that you
recommend, and give it a shot.





Yes, that was one of the first things I did. In fact, Windows Update
doesn't work with IE5, so I have to.





I don't have a router, just a hub. I don't care about the size of the
footprint. Do you think that the latest version of Kerio / Sunbelt would be
more secure?

There was a mention that the older Kerio might have a flaw but it isn't
a major problem for me, I just find that the older 2.1.5 version works
well, but I haven't tried the newer versions. Try the newer version and
if you don't like it you can change it.

I am connected through a hub to the Internet. So, when it asks for how I am
connected to the Internet, what should I answer?

I think that would just be like a normal setup, except that the
connection goes through the hub instead of directly to the wall
connection. Through a LAN would be if another computer or server was
doing the connection for your computer, like ICS. You are only going
through a hub, you aren't relying on a LAN member for the connection,
the connection is done by your computer.

I have no reason for File
or Printer Sharing, so I will disable these, as well.

Thanks for all your help, John. It is greatly appreciated.

You're welcome.

John

 

[Jason Doucette]

John,

All of your help appears to have worked. Thanks!!

I have one more concern: After running Ad-Aware on the fresh install of
Win2000 Pro SP4 + all updates, it finds traces of Alexa in the registry, 8
times. The description always says:

"Installed with Internet Explorer and some Microsoft updates. Alexa is the
"What's Related links" feature on your Internet Explorer toolbar. Alexa
technology uses a 'web crawler' (bot) only when the toolbar is in use."

I didn't install the Alexa toolbar, and I am surprised these registry
entries exist, and I am also surprised that Ad-Aware claims that it is
installed with IE and some MS updates.

Have you run into this before? Information on the web regarding this is
rare.

 

[John John]

You're welcome, Jason.

As for the Internet Explorer deal and Alexa I have to say that although
I am surprised to read your findings, it is the kind of thing that I
have sort of come to expect from IE!

IE is not one of my strong points, but my guess is that your Active X
settings (in the IE Security Settings) are probably too weak. Maybe
someone else reading here has a better explanation of why Alexa BHO
installed itself without your knowledge. I have personally never
experienced this, but then that is to be expected because I never use
IE! I would get rid of Alexa if I were you. Maybe someone who has more
in depth knowledge of IE can help you further with this.

John

 

[Jason Doucette]

John,

The Alexa toolbar itself wasn't installed. It was only these 8 registry
entries that Ad-Aware found. I found it strange that the registry entries
would exist, but not the program. And, how could anything be installed when
I didn't ask for it? I haven't surfed to any sites, yet. In fact, I
haven't even set up the Internet Connection Wizard, so I can't surf
anywhere. I haven't even gone to Windows Update's website, yet! I've been
letting the Automatic Updates do its thing.

The only conclusion I can come to is that Ad-Aware's description is right --
that it is installed with some of MS's updates. Strange, to say the least.
If this is the case, then someone else would find the same thing as I have,
so I thought I'd ask.

Thanks,

 

[John John]

Ok, I see. Just have AdAware get rid of the entries. When IE5 was
being developed & beta tested some third party vendors were working with
Microsoft, Alexa was one of them. As far as I know Microsoft never
adopted to make these third party components automatically install with
Internet Explorer but the collaboration of these third party vendors
would explain the presence of these keys in the registry. Although not
automatically installed IE was probably made quasi ready for these third
party components.

John

 

[Jason Doucette]

Ok, I see. Just have AdAware get rid of the entries.

Yup.

When IE5 was being developed & beta tested some third party vendors were
working with Microsoft, Alexa was one of them.
Ah.


As far as I know Microsoft never adopted to make these third party
components automatically install with Internet Explorer but the
collaboration of these third party vendors would explain the presence of
these keys in the registry. Although not automatically installed IE was
probably made quasi ready for these third party components.

Yes, that makes sense. I guess all the facts lead to this, but it was so
surprising I needed to hear it from someone knowledgeable. Thanks, John.

 

[John John]

Yes, that makes sense. I guess all the facts lead to this, but it was so
surprising I needed to hear it from someone knowledgeable. Thanks, John.

No problem, you're welcome.

John

 

[Jason Doucette]

John,

DO NOT connect the unpatched computer to the internet without a properly
configured firewall! As installed Windows 2000 is EXTREMELY vulnerable
to worms and virus if not properly protected. In addition, install these
*before* connecting to the internet:

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Windows 2000 Update Rollup 1 for Service Pack 4
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.mspx

I installed Windows 2000 Update Rollup 1 for Service Pack 4, and it asked to
reboot. Then, I installed MS03-043, and it asked to reboot. But, when I
installed MS03-049, it didn't ask to reboot (which is what happens when you
try and install something that you already have), so maybe it already exists
in the Rollup?

Not a big deal.

 

[John John]

John,




I installed Windows 2000 Update Rollup 1 for Service Pack 4, and it asked to
reboot. Then, I installed MS03-043, and it asked to reboot. But, when I
installed MS03-049, it didn't ask to reboot (which is what happens when you
try and install something that you already have), so maybe it already exists
in the Rollup?

Yes it is already in the SRP, you can see here for a list of fixes that
are included in the Update Rollup:
http://support.microsoft.com/kb/891861 Also, although many or most
hotfixes require a reboot, not all necessarily do.

Not a big deal.

No, for most parts it hurts nothing to install the same update twice.

John

 

[Jason Doucette]

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://support.microsoft.com/kb/891861

MS03-043 Buffer overrun in Messenger service could allow code execution
828035 (http://support.microsoft.com/kb/828035/)
MS03-049 Buffer overrun in the Workstation service could allow code
execution 828749 (http://support.microsoft.com/kb/828749/)

So they are both in the Rollup. (For some reason MS03-043 asks to reboot
even though it was already installed by the rollup, so I assumed it wasn't.)
I am curious about this because I'm installing Win2000 on a few machines,
and want to speed up the process as much as possible.

Thanks again for your help, John.