Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-10-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Issues with MS04-032 patch / Phishings, Spams and Virus story

Published: 2004-10-27
Last Updated: 2004-10-28 00:40:29 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Issues with MS04-032 patch


We received a report about issues regarding the post installation of Security Update for Microsoft Windows (840987), released by Microsoft on October 12 under Microsoft Security Bulletin MS04-032, on Windows 2000 workstations.

The issue, according the user, is that after the instalation of MS04-032 patch, the 16-bit applications will stop to work properly. Also, he found out that some services were dying without any explained reasons.

As a workaround to have his applications to work again, he had to take the following steps:


-For WIN2K, Log in as local administrator. The local administrator is
best for this; not a domain admin who has local admin privileges.

-Uninstall MS04-032 (KB840987) from the system. Allow it to reboot
immediately.

-After reboot, log back in as local administrator. This will allow
the uninstall to finish.

-We have encountered problems if the second login is not completed by
a local administrator.

-Test the 16-bit apps and/or print functions, all should be good.

-Reboot one last time.



We would like to hear if you had similar problems, and if you found workarounds for it.


Another Follow-up on how to identify "normal" processes on Windows


A user also sent a site to be included as reference of Lorna´s Diary ( http://isc.sans.org/diary.php?date=2004-10-24 ) . The site is Process Library, at http://www.processlibrary.com/ .



Phishings, Spams and Virus

I am sure that you are all tired to hear about phihings and its dangerous, but I would like to tell one more history. Today I received a phishing spam from a well-known online greeting cards website. This one was really well created and every link pointed to the real website, and there were two links really close each other. The first one was "click here to see your card" and the other was " or click here to enter the website and put your card reference code". The first one was a link to download a password stealers targeting some Brazilian Banks, which is detected only by 4 on 10 AV vendors, according VirusTotal. Which is really not good...

As a FYI, on its Packed form, it was only detected by 2 in 10, and in its Zipped form, by 2 in 10, and finally, on its .exe form, by 4 in 10...


-----------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org )
Keywords:
0 comment(s)
Diary Archives