- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Sep 20, 2001 (Vol. 6, #72 - Issue #307)
And Here Is Another Worm...
  This issue of W2Knews™ contains:
    • And Here Is Another Worm...
    • New "Warhol Worm" Has Black Hats Drooling
    • End Of 2002: 73 Million WXP Users
    • New Security Tool: Event Archiver
    • New Hotfix Checker By Shavlik and MS
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • SUPER SPECIAL ~ Hacking Exposed - Windows 2000!
  SPONSOR: Intermedia.NET
Intermedia.NET is now offering Microsoft Exchange Hosting at extremely
competitive rates.
This great accessibility application enables its
users to retrieve e-mails and contact lists from anywhere in the world.
It also includes efficiency tools like file and calendar sharing. Your
company can now utilize this advantageous solution quickly and affordably.
If you have 10 or more employees and would profit from
remote file access, please click here for more information:
Visit Intermedia.NET for more information.

And Here Is Another Worm...

Released exactly one week after the attack on New York, this critter poses another problem: Internet and server slowdowns. I suggest you take this particular Nimda worm serious and continue to harden your machines against it. I have some links on how to fix and prevent it, and since this is important, I'm going to keep this column very short. Also, check out both of the new tools we're announcing in the Third Party News section. Good luck!

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Want To Contribute To W2Knews?
Amazon Honor System Click Here to Pay Learn More
Visit Want To Contribute To W2Knews? for more information.

New "Warhol Worm" Has Black Hats Drooling

I'm talking about the new Nimda worm of course (this is Admin spelled backward and for good reason). Why Warhol? It's spreading so fast that it has "fame" in 15 minutes. It's way more efficient and aggressive than Code Red. Just as an example, one of our machines in a remote office had 1500 hits in just 6 hours. It uses a series of known vulnerabilities and both desktops and servers as its vectors. It borrows heavily from other earlier worms and is truly a Swiss Army knife in the world of worms. Every windows environment is vulnerable.

One nasty little habit is that this version moves the Guest account into the administrators group and enables it. Now you may think that this worm itself is the danger, but right now there are crackers running Perl scripts for compromised boxes and uploading things like Netcat into them with the result they fully own these boxes. Next are of course the Denial of Service attacks using those owned machines as zombies. Sigh.

We got a hit last night from one of these infected machines, and just for giggles we mapped a network drive to their c$. Voila. It was wide open under the guest account with full admin privs. Obviously we did no damage or took further action but THAT is scary. You can recognize infected PC's by the presence of a file named "load.exe" in the Windows system directory. Symantec has a good description on their website (many other virus outfits have too, but I liked this one).

And again, since this critter also attacks your web servers and IIS, we think that SecureIIS rocks. Looking at the logs this morning it blocked tons of attempts on our web servers from the Nimda worm.

For Exchange users, we recommend Sybari's Antigen which again scored high marks in this fight with its file filtering tech. They are Target Award winners for both their product and their tech support.

And here is the MS perspective with hints on fixing and preventing it:


End Of 2002: 73 Million WXP Users

A massive migration to WXP is not in the charts, but new PC's will be equipped with it, and IDC expects at the end of next year that XP is going to have 73M users. By that time XP will make up 63% of all Windows licenses sold.

Well, my take is that it may not go that fast. Not too many consumers are going to go through the hassle of upgrading. Most will wait until they buy a new PC with the whole thing pre-installed. And not too many consumers are going to shell out money for new PC's in the current climate. Of course XP is going to kick out Win 9x and WinME sales, and MS will do it's darnedest to replace W2K Pro as well.

IDC says that PC makers will quickly move to make XP the only available option on consumer machines, thanks to its increased reliability and security. That is already happening. I got reports that some one tried to order a machine with W2K Pro preinstalled, and that flavor was simply not available anymore. Ouch.

XP is not expected to create a surge in total client operating environment shipments. The complete WXP family consists of the following three products - Windows XP Professional, Windows XP Home, and Windows XP 64-Bit Edition. The "Professional" and "Home" versions of the product represent the first time that MS has made a distinction between consumer use and business use.

This allows them more control over its customer base, product positioning, and pricing. It's an interesting idea that consumers can now get their hands on a product that cost literally billions of dollars to develop for less than a hundred bucks. Source: IDC at


New Security Tool: Event Archiver

Are you required to centrally log and store events for security audit purposes? Event Archiver is a powerful but very low cost tool that provides a great solution.

Use simple, custom built wizards to unify computer audit policies, log sizes, and rapidly deploy a log collection solution among multiple computers in many different domains

What does Event Archiver do?

Event Archiver does exactly what its name suggests - archive event logs, meaning it automatically clears event logs from Windows NT/2000/XP servers and workstations and stores them in EVT format, comma-delimited text, Access or ODBC databases. In addition, it can move flat files to central network shares AND place entries into databases for redundancy and custom analysis.

Event Archiver addresses one specific need that no other tool in the market focuses on - the automatic clearing and storing of these event logs for future use. Manual clearing and storing of these logs is a job done by network administrators, so they are quick to see just how helpful Event Archiver can be to them.

More and more organizations (government and private companies) are making the preservation of these log files a security policy. In the event of a network intrusion, it is vital that these logs are maintained for accountability, especially when working with law enforcement and presenting evidence in court. Event Archiver collects in all major event log formats (including EVT) to make sure that if trouble occurs, historical data will be at the ready AND already in the correct format. Event Archiver is an affordable, easy plug-in solution.

So, is this affordable for even large networks? What is the licensing structure?

Event Archiver is licensed per server or workstation from which logs are being archived. We have great volume discounts for larger implementations - and these customers with larger networks are the very customers that stand to gain the most from implementing Event Archiver. Imagine the cost in hours of labor for just the manual clearing of event logs from hundreds of servers and thousands of additional workstations. Get your 30-day eval and pricing here:

New Hotfix Checker By Shavlik and MS

You are all aware that Microsoft recently released two free security tools, both in a bare-bones format. These tools were co-developed by Microsoft and MS Gold Partner Shavlik. The actual commercial versions (with many more features, extras and a GUI) are now available in a "suite" via Sunbelt Software.

The Shavlik AdminSuite combines three powerful tools - Network Security Hotfix Checker Pro, AccountInspector, and Password Inspector into one easy-to-use bundle. They are used worldwide by Microsoft internally. The Hotfix Checker utilizes an XML config file that is kept up-to-date by Microsoft staff practically in real-time.

This will ensure that when you use the Shavlik Hotfix checker, you have a very high degree of certainty your network actually has all the most recent patches, and applied in the right sequence. "The Shavlik and Microsoft teams have collaborated to create a strong security solution that will help our customers operate more securely," said Steve Lipner, Lead Program Manager, Microsoft Windows NT Security.

With this suite, you can conveniently monitor important security related settings and hotfix updates of your networks. It allows you to then take the necessary corrective actions.

The Network Security Hotfix Checker Pro (HFNetChkPro) tool is a browser-based and command line based tool set that you can use to assess a computer or selected group of computers for the presence or absence of security patches.

You can use HFNetChkPro to assess patch status for the Windows NT 4.0 and Windows 2000 operating systems, as well as hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000 (including MSDE), and Internet Explorer 5.01 or later.

Since HFNetChkPro accesses an XML datastore on Microsoft's website you are guaranteed the latest information.

AccountInspector scans all computers on your network for Critical Security Problems such as old, unauthorized accounts, hidden accounts, weak passwords, unwanted administrators (you have more than you think you do), old passwords and other useful information with a full, easy to use UI. Shavlik AccountInspector can scan over 10,000 computers at once. Scans done in seconds. Output can be created in Microsoft Excel format so users can easily create reports. Results can be emailed or archived from UI. Full on line help.

PasswordInspector lets you scan your network for weak passwords and receive advice along with being able to set strong passwords on local and remote systems. Use the interactive Password Wizard to create strong passwords on all your computers from one convenient location. Scan your network for weak passwords and receive advice along with being able to set strong passwords on local and remote systems. Use the interactive Password Wizard to create strong passwords on all your computers from one convenient location.

Check the Sunbelt website for product specs about this product, there are screenshots, FAQ, prices and an eval download:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Worms like the Nimda have been predicted for a while. Good article:
  • Interview with Don Beeler, CEO of NSI, maker of DR-tool Double-Take
  • Need a screen saver that just locks your mouse and keyboard but actively shows the Display? The W2K Reskit Supplement 1 has it

    SUPER SPECIAL ~ Hacking Exposed - Windows 2000!

    This book of the week is also a repeat. I'm now reading it and it's REAL GOOD. It's one of these books that you just GOTTA have. If you only buy one or two books a year, this is one of them. Remember how enthused I was about the original "Hacking Exposed"? Well, they have done it again, but now with an all-Windows 2000 focus. This is the end-all of hacking into your W2K servers. A must-read if you want to secure your networks and a 'Stu's Warmly Recommended!' It's a treasure trove of information no W2K sysadmin should be without.