Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: DNS/Hosts file issues - Update #2
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Oct 02 2003 - 10:41:38 CDT
I have been trying to bring together all of the information we have received and discovered, time for another update.
1. This issue is not resolved by MS03-032. We hope it will be resolved in the next IE cumulative update. No release date for this is currently available, but we have reason to believe it should be soon. I've been informed that it has been tested by 3rd parties and found to fix the issue.
2. As of this morning (at least), both the FortuneCity.com URL which initiated the attack and the EV1.NET IP address which delivered the malcode have been taken down. The URLs were;
Systems with a FortuneCity.com cookie should be investigated closely. I have had reports of individuals who had visited FortuneCity.com to view their friend's baby pictures and received the above mentioned banner (thanks Shannon.)
3. I've had reports of the dropped hosts file in both %systemroot%\system32\drivers\etc, the normal location, and in %systemroot%\help. You should check both, and check the registry key the OS uses to determine where the file is (see my previous message.)
4. Despite what CERT suggests in www.cert.org/incident_notes/IN-2003-04.html, disabling ActiveX controls does nothing to prevent this.
5. Applying the Outlook Email Security Update or using Outlook XP/2002 or Outlook Express 6.0 works, but there hasn't been an email vector (yet.)
6. Maintaining updated Anti-Virus is only as good as the AV, and didn't help the hundreds (if not more) of systems which were reported affected to me.
7. Disabling the application/hta MIME type is effective;
(note the space in Content Type)
Save the hive to disk and then delete, or, just delete.
8. FYI.. NAI says Qhosts-1 requires 4297 (8 Oct 2003) to detect, but 4296 (1 Oct 2003) picks it up (thanks Geoff)
9. Shannon McCracken sent this link, http://www.nsclean.com/htastop.html, it purports to stop anything from using MSHTA. I have not tested this app.
Russ - NTBugtraq Editor
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;