Re: Microsoft "Messenger Service"

From: hector (nospam@nospam.com)
Date: 09/25/02 

From: "hector" <nospam@nospam.com>
Date: Wed, 25 Sep 2002 15:17:44 -0400

I was the original poster on this thread:

I have since thing do all sorts of things to isolate my machine. I have not
had it happen again since the original post I'm a developer and I'm very
careful with things. I don't play e-games. I don't download anything I am
aware about. The only thing not in my control is Microsoft's software, in
particular Outlook and OE. On that original day it happen to me, I did
the the following:

1) I was working from HOME on my Windows 2000/PRO machine. It is connected
via ADSL.

2) It look like a NET SEND command which if I remember my netbios
programming days, it is a NETBIOS functionality which means I must of had
one the Microsoft netbeui ports open. I don't. To confirm this, I
connected to my office machine via PCAnyWhere and issued a NET SEND to my
home machine IP. It could not find the machine. I don't believe you can
use NET SEND if the proper Microsoft ports 135-137 are not open. Maybe
others can confirm this.

3) So I figured that somehow, this was done via maybe a hole/backdoor with a
HTML message I was reading in outlook or something. However, this couldn't
be it because quite simply I wasn't reading such a message. I was writing a
message. So I figure it was maybe something already installed on my
machine.

4) Since this is my home machine, my girls did use to use Yahoo or MSN chat
stuff a few months back. They don't any more, but I checked some
installation logs and found some MSN CHAT install problem. I removed all
the ActiveX objects from IE. I removed/uninstalled all programs I was not
familar with. I turned off any NT service I was not using, including
Messager Service and some others that open some ports on my machine.

5) I then did some Google research using "NET SEND" and "VIRUS" as keywords
and I found there was a recent Windows Security Flaw report AKA "Shatter"
as it was named by the founder of the flaw. It explains how there is a
fundamental flaw in Windows that Microsoft has since acknowledged. It
specifically illustrates how "NET SEND" can be used from a DESKTOP
application.

I was very busy and I didn't follow all the details of this report, but I
assumed this was only explanation for it.

The url for this shatter report is:
http://security.tombom.co.uk/shatter.html

The microsoft response to this report:
http://www.microsoft.com/technet/security/topics/htshat.asp

See ya

Hector 

----

"Johnny Qwest" <nobody@nowhere.com> wrote in message
news:4jtsous9tmkgs3s22cm01o968lbkb3p2b8@4ax.com...
> On Thu, 12 Sep 2002 17:57:32 -0400, "yams" <Ihate@spammers.com> wrote:
>
> >I believe I only had OutLook Express running writing a message when all
of a
> >sudden I got a "Messenger Service" popup message from an Internet
Marketing
> >spam site.
> >
> >This blew me away!   I am usually very careful and don't install anything
I
> >don't need. I don't use ICQ, MSN or none of that crap.  This is on my
home
> >ADSL account.
> >
> >How did this occur?
>
> More than likely they used the "net send" command and directed the
> spam to your domain. I've seen it happen three times in the last two
> weeks. Most recently on Friday the 20th.
>
> It would be nice to know for sure how it was done though. If anybody
> has any Ideas...
>

Relevant Pages

  • Re: Office Crashing on MacBook
    ... Click Report to see more details or send a ... your Office install. ... Reporting dialog instead of the Microsoft one appears when Office programs ... Here are instructions for removing & re-installing: ...
    (microsoft.public.mac.office)
  • Re: KB911280 update problem
    ... Microsoft is working on an amended patch which will address this issue. ... Microsoft advises anyone affected by this to not install the patch and to ... That script is broken by the patch. ... He said he could not write a bug report ...
    (microsoft.public.windowsupdate)
  • Re: To open a specific report number by users input of the report#.
    ... Microsoft Access Support ... Microsoft Security Bulletin MS03-026? ... to visit Windows Update at to install ... | Subject: Re: To open a specific report number by users input of the ...
    (microsoft.public.access.reports)
  • Re: XP reboots each time I go online
    ... from Microsoft and patch computer. ... but it seemed to install successfully. ... >uninstalled TotalAccess after I got the runtime error message Pattie asked ... It then says that the computer has created an error report to ...
    (microsoft.public.windowsxp.newusers)
  • Re: Does anybody know what virus ive got?
    ... > Internet Security after I install it. ... Microsoft has these suggestions for Protecting your computer from the ... keep it clean,secure and running at its top performance mark. ...
    (microsoft.public.windowsxp.newusers)