RE: CR II - winME? confirmation?

From: Petruzel, Oliver (
Date: 08/06/01

Message-ID: <215B2C5D5818D411A5EE00805FC14FBB59F9FD@AEGIS-ONE>
From: "Petruzel, Oliver" <>
To: "''" <>,
Subject: RE: CR II - winME? confirmation?
Date: Mon, 6 Aug 2001 12:53:07 -0400 

Just so we're clear here, this wasnt ME who reported this to SNP, i just
stumbled across it! I was simply curious. The anonymous poster of this
seems to see "outgoing" tcp traffic in large volumes on his WinME box. He
differentiates between the original CR incoming and his current outgoing.

it was so odd that i thought I would ask if it was happening in more than
one location.
didnt think so tho...


ps: as for Gibson's XP objections, i believe his entire point revolves
around Raw Sockets becoming available for HOME users. they were already
accessable in win2k, and any 3rd-party hacked up 9x/NT box, but the threat
was LOW because the "population" of such boxes facing the internet was low,
WHEN COMPARED to the hundreds of millions who may end up running XP.

Think about this: A worm like CR which spoofs it's IP -AND- floods
every month for 10 days with spoofed SYN ACK's... or worse. Just think
about the @home network becoming 100% saturated with infected machines
because, unlike CR which requires NT/2k w/IIS, the new variant will work
against XP which joe schmoe just got at best buy on his new toy!!... you
see, for now, it's only been servers to worry about. Now, ALL home systems
will be just as vulnerable.

> -----Original Message-----
> From: []
> Sent: Monday, August 06, 2001 12:08 PM
> To:;
> Subject: RE: CR II - winME? confirmation?
> Oliver,
> This is a standard attack pattern from the worm. Check your
> system for
> either the ida.dll or the idq.dll. If you do not have either
> of these dll
> files then do not worry about it. Plus, you need to have
> Internet service
> running on your box. I have not seen anyone who has been
> infected by this
> worm
> using a Windows 9x or ME machines. I do not have these
> services running and
> I have
> recieved 306 attacks in 22 hours from the worm on my *nix firewall.
> Steve Gibson's theory is not as scary as it seems. *nix has
> been using raw
> sockets for years. The real issue here, is never place a
> windows machine
> directly on the Internet without maintaining it properly. I
> would place
> a good hardened firewall in front of any Microsoft machine
> before connecting
> to the Internet.
> Greg
> PS- What does not make sense in the article
> -----Original Message-----
> From: Petruzel, Oliver []
> Sent: Monday, August 06, 2001 8:01 AM
> To:
> Subject: CR II - winME? confirmation?
> ok, this makes no sense, and ive only see it one place:
> I'm just wondering if this is popping up anywhere else. If
> it is, then it
> cant be CR2 as we know it, and it opens up a can of worms
> that is scary.
> Similar even, to Steve Gibson's prediction that a consumer
> based OS with a
> big hole would do serious damage.
> but again, since IIS is CR, then this was either a big fat
> anaonymous lie,
> or something different. Anyone seen any discussion on this?
> -o.p.