[wplug] Windows - Is this happening to you too?

Bill Moran wmoran at potentialtech.com
Sat May 29 13:47:41 EDT 2004


A. McCullough wrote:
> Happening in Windows XP too.
> In fact, there's another new exploit - since Bill Gates decided to make Windows
> a giant web portal, so to speak. Any version of Windows that uses compiled help
> files (help files with a .chm extension) are open to attack on that front now -
> I've just spent two weeks cleaning out my significant other's WindowsXP box from
> a trojan that started with an unauthorized download of an innocuous file called
> "start.chm"; it allowed a .dll to download that constantly reset his browser's
> home page to a porn site. All he did was look at a web page (wasn't even the
> page he was trying to find) and all h#ll broke loose.

I don't believe this for a second.  I use XP on one of the computers I use here
at the office, and I do quite a bit of recreational browsing on it as well, yet
have _never_ gotten any spy/adware.

I can only assume that folks do things that they _think_ are "just visiting a
page" and install the junk.  Either that, or they're just too embarrassed by
what they do online to admit it.

> He's running antiviral
> software,

AV software doesn't recognize or prevent ANY adware.  I have theories as to why
this is so, but no proof.

> a firewall,

Does he?  Most people I talk to who _think_ they have a firewall only have a nat
box.  nat is not security.  Even if he _does_ have a firewall, if it's in the
default config, it's not any protection against adware.

> and several anti-adware programs and it still got in.

In my experience, various adware blockers will block _some_ adware, but not all.

> What worries me is that if Linux catches on to the extent Windows has,
> eventually the same thing will happen to Linux.

True, and I'll be able to say something similar to what I said about Windows:
properly secure the box and educate users and the incidence will go down
dramatically.

> Sooner or later there'll be some
> clever s.o.b. who'll figure out how to annoy the h*ll out of Linux users too.

It's already been done.  It's just that most Linux users _don't_ use their system
as root, whereas _everyone_ on a Windows 9x box is root, and most home users of
Win XP are running as a root-equivalent account.  Additionally, (and this is the
one that really amazes me) most small businesses allow their employees to run
as a root-equivalent account.

If Microsoft were smart, they wouldn't have ANY root account on Win XP.  They'd
just have a security technique where attempting to do anything that required
admin privvies would popup a warning box that alerted the user to potential
danger and asked for the admin password.  They sort of do this now, except they
missed the critical other side to it ... not letting users run with admin
privvies all the time.

> 
> Cheers,
> Anna
> 
> ----- Original Message ----- 
> From: "Robert E. Coutch" <robert.coutch at verizon.net>
> To: <wplug at wplug.org>
> Sent: Friday, May 28, 2004 10:40 PM
> Subject: [wplug] Windows - Is this happening to you too?
> 
> 
> 
>>Hi all,
>>
>>I'm sooooooo glad I'm running Linux.
>>
>>I've have been innundated with Windows 98 PC's lately with pretty much the
>>same problem.
>>
>>They all have ads, toolbars and other unsolicited software installed.
>>
>>After spending DAYS working on the problem here's what I have found.
>>
>>Spy-bot, Adaware, and virus checkers do not cure the problem.
>>
>>Adaware finds most of the problems and removes them but then they reappear
>>after reboot. Even after cleaning up the registry and other startup files.
>>
>>The folks who write this crapware to infect Windows PC's are getting better at
>>their craft.  It's no longer enough to clean out a few registry keys and
>>remove a few program files off the hard drive.
>>
>>It seems they have started using dll files that look like normal system files
>>to load the unwanted software.  Some of these dll's look like part of the
>>printing subsystem but are actually downloading and installing toolbars,
>>search links and so on.
>>
>>So far I've only seen this on PC's running Windows 98.
>>I want to know if anyone has seen this sort of nonsense going on with other
>>versions of Windows.
>>
>>None of the tools I've found have the ability to fully remove and block this
>>stuff. Does anyone have any suggestions that I should try.
>>
>>I've been cleaning out the registry by hand one suspicious class id at a time.
>>This is a very looooong and tricky process.
>>
>>The wife is actually considering switching to Linux because while her machine
>>was down, she used mine.  She's also considering a Mac.
>>
>>I don't think my paying clients will even consider going Linux or Mac but I
>>don't want to recommend they "upgrade" to XP unless I can be sure this is not
>>happening (yet) with that version of Windows.
>>
>>Can any of you help me or point me in the right direction?

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com



More information about the wplug mailing list