New WinXP Hotfix pack -rel. 15th Oct 2003 (post Sp1)

[bledd]

http://support.microsoft.com/?kbid=826939

http://www.microsoft.com/downloads/d...displaylang=en

-you need SP1 (or Sp1a) installed first.

[Ricbec]

BE CAREFUL WITH THIS

I checked this out myself the other day, (I did not install it) since then, I have been receiving up to 5 e-mails a day from "Microsoft" with a worm attached to it called W32.Swen.A@mm

Be very wary about this!, I seriously question how genuine this is, especially when Microsoft themselves were compromised with viruses it there system

If anyone has any further information regarding this, would be greatly appreciated

[Trickle]

Hmm.

Sticking '826939' in ms.com search box doesnt come up with anythign - though that search box recently has to start ranking as one of the all time most annoyingly uselss input fields of all time. Advanced searches dont help either.

Ok sticking 826939 in this valid KB search box on MS's site validates the articles authenticity = here

[Ricbec]

Yes, I understand the so-called "Authenticity" of the actual web page, but since, like I said earlier, that Microsoft was recently (to my understanding anyway) compromised, how can this be truly seen as genuine.

On the front that I started to recieve e-mails with a worm attachedto it, I know this is suspicous, as the first occasion on recieving these e-mails, the date & time stamp on my e-mails matched with the time I was actually on the site

I have since had to block these e-mails, as they dont stop coming, at least 5 a day

[Gristy]

if you keep getting the emails then you probally have a malware virus your self. so evertime you get a email you will receive lots back..

[rob3]

Even M$ could be distributing viruses un knowingly...wot ever next!!!

[Ricbec]

tell me a bit about the malware virus.

I have never yet to date had a virus get past my anti-virus, but thats not to say it isnt posslible

[joshwa]

this should be in the software forum

[Moby-Dick]

and it will be

[Moby-Dick]

Originally posted by Ricbec
Yes, I understand the so-called "Authenticity" of the actual web page, but since, like I said earlier, that Microsoft was recently (to my understanding anyway) compromised, how can this be truly seen as genuine.

On the front that I started to recieve e-mails with a worm attachedto it, I know this is suspicous, as the first occasion on recieving these e-mails, the date & time stamp on my e-mails matched with the time I was actually on the site

I have since had to block these e-mails, as they dont stop coming, at least 5 a day

Your understanding is flawed m'afraid. Microsoft was not comprimised. The Swenn Virii ( and its derivatives are meraly very well crafted spoof mails that "appear" to come from microsoft.


What you have to remeber is ( and I've said it before )

Microsoft do not email any patches out at all......ever


They have recently stared doing a monthly security roundup , but that is usually annouced on support.microsoft.com


more info here:

http://www.theregister.co.uk/content/55/33428.html

remeber , its good to be paranoid , but only a little bit

[Ricbec]

Its a shame I cant attach files here, id show you the e-mail "supposedly" from Microsoft, with the virus removed of course!

I am not saying tht microsoft are doing this themselves, merly unfriendly people are able to do this to people, merely from veiwing the microsoft web pages, I am very sure that microsoft was compromised, which is why recently people were not able to view there sites, as i was unable to myself, i wasnt even expecting to be able to get onto the site when i did!, but anyway, im not going to argue this forever, cause there will always be someone to argue the case.

I have cut & pasted the e-mail here, unfortunately i cannot provide all the colours and such so it looks like the original e-mail, but you get the idea of what it had to say, and the above mention worm has been attached to all of these that i have recieved

P.S, sorry this isnt in the software area, but i didnt start it!
----- Original Message -----
From: MS Security Support
To: MS Corporation Customer
Sent: Monday, October 13, 2003 10:15 PM
Subject: Patch


Microsoft All Products | Support | Search | Microsoft.com Guide
Microsoft Home


Microsoft Customer

this is the latest version of security update, the "October 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to help maintain the security of your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer. This update includes the functionality of all previously released patches.


System requirements Windows 95/98/Me/2000/NT/XP
This update applies to MS Internet Explorer, version 4.01 and later
MS Outlook, version 8.00 and later
MS Outlook Express, version 4.01 and later
Recommendation Customers should install the patch at the earliest opportunity.
How to install Run attached file. Choose Yes on displayed dialog box.
How to use You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us.

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

--------------------------------------------------------------------------------
The names of the actual companies and products mentioned herein are the trademarks of their respective owners.

Contact Us | Legal | TRUSTe
©2003 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility

[Moby-Dick]

Originally posted by Ricbec
Its a shame I cant attach files here, id show you the e-mail "supposedly" from Microsoft, with the virus removed of course!

I am not saying tht microsoft are doing this themselves, merly unfriendly people are able to do this to people, merely from veiwing the microsoft web pages, I am very sure that microsoft was compromised, which is why recently people were not able to view there sites, as i was unable to myself, i wasnt even expecting to be able to get onto the site when i did!, but anyway, im not going to argue this forever, cause there will always be someone to argue the case.

I have cut & pasted the e-mail here, unfortunately i cannot provide all the colours and such so it looks like the original e-mail, but you get the idea of what it had to say, and the above mention worm has been attached to all of these that i have recieved

P.S, sorry this isnt in the software area, but i didnt start it!
<snip>

ok lets start at the beginning.

read this :
http://securityresponse.symantec.com...swen.a@mm.html

it will give you the full down on the Swen worm. This isn't 2nd hand info - or what you heard from someone at work who is" into computers". This is hard fact from AV vendors of what the virus is and exactly what it does.

Spoofing an email address is not difficult to do. I can send mail out to any address from any address ( although a quick glance at the mail headers would prove that it didnt' come from me )

merely from veiwing the microsoft web pages

you've got your knickers in a twist here. There is a vulnerability in unpatched versions of outlook express that could allow excecution of malicious code

from the symantec website
This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at: http://www.microsoft.com/technet/sec...n/MS01-020.asp

this was adressed in 2001 - if you havn't applied any security fixes for 2 years , then you deserve to be vulnerable!

I am very sure that microsoft was compromised, which is why recently people were not able to view there sites, as i was unable to myself

Yes, the microsoft windows update webservers recently came under a large DoS ( Denial of service) attack that was a result of the Blaster32 worm, nothign to do with swen.

The swen worm was unusual in that would have been convincing enough to an average user ( remeber when you think how daft the average computer is , remeber that 50% of them are more daft than that ! ).

This is why I personally notified all of my clients as soon as I was aware of this worm ( about a month ago ) to be aware of it.

If your avsoftware picks it up then you have nothign to worry about. The problem comes in that critical time between virus release into the wild and the A/V definitioans being released ( and a sucessfull update of them )


Sorry if I've come across as a little harsh , but I think that confused missinformation is worse than no information at all. I will always try to spread the word on such critical issues as soon as I can.

[directhex]

is the rollup on general release yet? did a fresh install yesterday & it seemed absent - unless it was the second download the SP1 installer did after the main 30mb bulk...

i know about the rollup, i run an SUS mirror so i see all the latest patches as soon as they appear...

--jo

[Moby-Dick]

ditto SUS is great !

[directhex]

it'd be nice if they made it more obvious how to set clients to use SUS rather than the regular mirror...

had to read the entire deployment guide to find it...

[Moby-Dick]

just a GPO setting for the domain