Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Keep the latest worm infestation off your PC

Windows Secrets Newsletter • Issue 182 • 2009-01-22 • Circulation: over 400,000

Table of contents 
  • Introduction: A free bonus download for accidental admins
  • Top Story: Keep the latest worm infestation off your PC
  • Wacky Web Week: The Force is not strong with this one
  • LangaList Plus: Fix the dreaded ‘Run DLL as an App’ error
  • Best Software: Sites let you fix photos for free from anywhere
  • Perimeter Scan: How you can end a rootkit infection (as I had to)
 
Introduction

A free bonus download for accidental admins

Brian livingston By Brian Livingston

With big names like Woody Leonhard and Fred Langa writing for the newsletter every week, I haven’t been writing many columns myself lately.

That gives me the time to help edit everything into one big publication for you, and also squeeze great advance information out of other publishers, like this month’s free bonus download.

Many Windows Secrets readers were put in charge of entire computing systems because they knew how to use a command line or simply looked like they’d know what to do. If you’ve ever found yourself responsible for systems administration without a leg to stand on (or you just have a few questions), you’ll find a new guide from No Starch Press to be an indispensible resource.

Network know-how excerpt Windows Secrets has licensed two full chapters of Network Know-How: An Essential Guide for the Accidental Admin.

The printed book won’t be available until late February, but our exclusive excerpt is available to all Windows Secrets subscribers through Feb. 25, free of charge.

To get your bonus, use the link below to visit your preferences page. Make sure your settings are the way you want them, press the Save button, and a download link will appear.

Free and paid subscribers: Set your preferences and download your bonus

Info on the printed book: United States / Canada / Elsewhere

Thanks for your support, and I hope you like this month’s special bonus.

No newsletter on Jan. 29; next one’ll be Feb. 5

We don’t usually publish a new batch of content when a 5th Thursday of the month comes around. That happens this month on Jan. 29, which means our writers will get a week off. If some major event does occur, we’ll put out a short “news update” to let you know.

Otherwise, our next newsletter will come out on Feb. 5. See you then!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Keep the latest worm infestation off your PC

Woody leonhard By Woody Leonhard

It’s been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers.

Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.

Remember the patch that Microsoft released suddenly — “out of cycle” in the parlance — back in October 2008? Windows Secrets followed suit with an out-of-cycle news bulletin about the patch on Oct. 24. Susan Bradley recommended that readers immediately install the update described in MS08-067 (KB article 958644) to protect against “a remote-code attack that could spread wildly across the Internet.”

Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:

“We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we’ve not seen evidence of public, reliable exploit code showing code execution.”

By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected “over 50 distinct exploits of this vulnerability.” However, MMPC said the instances were very limited: “We’re getting a very small number of customer reports for these attacks.”

Then Conficker.A hit the fan. (McAfee and Microsoft call the worm “Conficker,” Sophos uses the name “Confick,” and Symantec and F-Secure call it “Downadup”; but it’s the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should’ve died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren’t applying key patches and a ferociously fecund variant called Conficker.B.

UPDATE 2009-03-30: In his March 30, 2009, Top Story, editorial director Brian Livingston describes how to prepare for Conficker’s activation date.


How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a “blended threat,” it’s an equal-opportunity infecter. The MMPC’s TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:
  • Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

  • Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can’t get in. What a sneaky buzzard!

  • If Conficker.B finds that it can’t get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you’ll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

  • Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target’s hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

  • Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.

The worm’s tricky twist on autorun.inf

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B’s autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let’s say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.

Autoplay reacting to a normal autorun.inf
Figure 1. Vista’s Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista’s Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%system32shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that’s inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.

Autoplay reacting to a fancy autorun.inf
Figure 2. Vista’s AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it’s going to open a folder when in fact it’s going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don’t blindly accept F-Secure’s analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC’s automatic-update function, too — getting rid of the worm is surprisingly easy.
  • Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company’s online password checker. If somebody other than you controls your computer’s admin password, make sure that person understands the gravity of this situation.

  • Step 2: Make sure you’ve installed the patch described in MS08-067. Open Control Panel’s Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC’s patches.

    The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn’t installed, browse to Microsoft’s Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

  • Step 3: Run Microsoft’s Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I’ve heard about. The easiest way to get MSRT is through Windows Update, but if you can’t get through to that service on the infected PC, borrow a computer and download the tool from Microsoft’s site.

  • Step 4: Disable AutoPlay. If Figure 2 doesn’t convince you of the risk of using Windows’ AutoPlay feature, nothing will. Simply stated, you don’t need AutoPlay that much. Follow the advice in Scott Dunn’s Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.
Those four steps will ensure that your PC isn’t one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.
 
Wacky Web Week

The Force is not strong with this one

Star wars retold By Katy Abby

Everyone’s tastes in cinema are different, but there are just some films that we, as members of society at large, are expected to have seen. The Star Wars epic is among the ranks of these esteemed classics. Few and far between are the folks who haven’t joined Luke Skywalker and friends on their intergalactic quest to defeat the Dark Side.

Every once in a while, however, you come across someone who just hasn’t gotten around to it. Watch as one woman presents her hilarious, if uninformed, interpretation of George Lucas’ extraterrestrial epic. (Warning: hard-core Star Wars geeks may need to avert their eyes.) Play the video
 
LangaList Plus

Fix the dreaded ‘Run DLL as an App’ error

Fred langa By Fred Langa

When rundll32.exe gives up the ghost, your PC may refuse to install or remove programs.

Find out what causes rundll32.exe errors and learn some easy ways to fix the problem.

‘Run DLL as an App’ error kills Control Panel

I’m a fan of the Windows operating system; no single piece of software has done more to bring the power of small computers to the masses. But even the most fervent Windows aficionado has to admit that parts of the OS are not exactly shining examples of the programmer’s art.

A Windows Secrets reader named Alvaro ran into one of Windows’ uglier sides:

  • “I have a question for which I have not been able to find an answer. Have Googled it and followed some of the suggestions, but I just cannot find a solution. I use XP. I have lived with this problem for over three months and do not remember how it originated.

    “The problem is that I cannot add or remove programs because I receive an error message about ‘Run DLL as an App,’ and the only option is to close the window. I can’t find a way to solve the problem.”

Hoo boy, Alvaro. The “Run a DLL as an App” problem doesn’t happen very often, but when it does, it can be a royal pain. Fortunately, there are several troubleshooting methods that get things working again with a minimum amount of hassle.

First, a quick aside: if you need add/remove functionality right away while your Control Panel is broken, tools such as Piriform’s free CCleaner (download page) and jv16 Power Tools from Macecraft Software (download page) have enhanced add/remove functions that don’t depend on Control Panel at all. Using tools such as these won’t fix the broken Control Panel, but it will return your ability to add or remove programs in the meantime.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Best Software

Sites let you fix photos for free from anywhere

Scott dunn By Scott Dunn

You may not need a disk-hogging image-editing app to repair your less-than-perfect photos.

If you’re willing to trade a little performance and a lot of features for the convenience of free Web services, you can retouch photos right in your browser.

A new crop of image-editing services brings us one step closer to first-rate photo retouching with no PC software required beyond a browser.

Granted, today’s Web-based photo-editing services can’t offer anywhere near the range of features you’ll find in a product such as Adobe Photoshop, or even in that program’s less-expensive sibling, Photoshop Elements. But these sites offer some unique capabilities of their own. For example, if you’re away from your computer but need to touch up a few photos while on the road, an image-editing service may be just the ticket.

A lot of these sites offer silly effects and special services that are more entertaining than useful, unless you really need your photo on a coffee mug. I set out to find the most practical tools and test them with such everyday image-editing tasks as cropping, straightening, and tonal adjustment.

The interfaces of the services I looked at fall into two categories:

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Perimeter Scan

How you can end a rootkit infection (as I had to)

Ryan russell By Ryan Russell

Over the holidays, I picked up the nastiest kind of malware infection you can get on your Windows PC: a rootkit.

Getting rid of the varmint required quite a bit of digging, plenty of scanning, and about a half-dozen reboots.

Teenage curiosity leads to rootkit infestation

Not long ago, I saw a new icon named Spyware Doctor in the notification area (formerly known as the system tray) on the family XP SP3 machine. It turned out to be a legitimate anti-malware program, but I hadn’t put it there. This machine is used almost exclusively by the kids, and I hadn’t sat in front of it for a couple of weeks.

When I checked the Program Files directory, I immediately saw some folders that looked suspicious. I matched the date and time on the folders with what else had happened on the computer at that time. It didn’t take long to figure out that my 18-year-old son had been cruising some non-household-approved sites and clicked Yes when he shouldn’t have. Busted.

My son knows how to clear a browser’s history but isn’t yet wise to cookie files and other Web cruft that may spill out of a browser. If you know the date of an event on your machine, you can use the Advanced option under Search to find a list of files created or modified on that date. The cookies you’ll find using this method are named after the sites that placed them and are usually self-explanatory.

So far, I’m the only computer geek in the family. I’ve got a few years before any of my brood will be able to beat me at hide-and-seek on my own machine. After laying the appropriate guilt trip on my son, I arranged to do a proper cleanup job. That’s where things started getting really hairy.

When it comes to malware, freshness counts

The big problem with malware removal is that the process is often an arms race between your security software and the virus: whichever is more recent wins. A new piece of malware can deactivate your security software, but once the software has been updated to recognize and neutralize the virus, the threat disappears — at least in its current mutation.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb