From: "Digest" <ianatos2site dot com>
To: "OS/2GenAu Digest" <deadmail>
Date: Fri, 23 Nov 2001 01:00:00 +1100 (EDT)
Subject: [os2genau_digest] No. 211
Reply-To: <deadmail>

Date:- 23 November 2001

Please reply to ianatos2site dot com to post to the list.
The posting problem will be fixed in November,
this only affects people on the digest list.

1================================================

Date: Wed, 21 Nov 2001 23:16:29 +1030
From: Gregory Hicks <ghicksatihug dot com dot au>
Subject: [os2genau] ubject: [Fwd: [OT] Suspect XP transmissions. Yep they exist]

This is interesting... and scary

from the LinuxSA group

Nathan Millhouse wrote:

> Hi Wayne,
>
> While analysing the new features and settings of Windows XP RTM
> (build 2600) almost 2 months ago, it became apparent that logging into
> a Hotmail account with IE 6 resulted in remote execution of local
> tasks, and the modification of registry values.
>
> Windows Messenger comes installed as default with Windows XP and the
> only way to stop it from being run on login is to remove the relevant
> value in
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
>
> Upon logging into a Hotmail account while using IE 6, I discovered
> that directly after the page has finished loading, Windows Messenger
> is automatically restarted and that the process is attributed to the
> user who is logged in locally. Not only does this happen, but the
> registry string used to start Windows Messenger on login is also
> restored.
>
> This extremely unsavory behavior only occurs when using Internet
> Explorer
> so it rules out the use of special cookies. I have never yet performed
> packet analysis but doing so may reveal some interesting results.
>
> This obscene invasion of user privacy also results in endless
> possibilities, some of which follow.
>
> 1. Could this be used to cause the remote execution of any program
> installed to a known default location?
>
> 2. Execution on login of trojaned software (infecting the system
> by another means) to perform key logging and obtain passwords or
> other user data.
>
> 3. Assuming that the reading of registry values is also permitted,
> this would allow the retrieval of software product keys and registered
> user names.
>
> 4. How long till the method is cracked and used by other websites.
> If modification or removal of existing keys is permitted, then by
> just visiting a website a computer may be rendered unbootable.
>
> Nathan Millhouse.
>
> Wayne Simes wrote:
> >
> > Hi
> >
> > I loaded XP a couple of days and first impressions where quite good. It
> > seemed a lot more stable that 95 98 and NT 4. It is definetly a lot quicker
> > at loading programs, and genral browsing of the web, the pages load a lot
> > faster. All in all I would consider myself to be a lot happier running XP
> > than I have been with 98 or NT 4.
> >
> > Until ..........
> >
> > I noticed a couple of hours ago that my machine, with XP, seems to be
> > communicating with the web continuously, well regularly I should say. I
> > have a linux box with an external modem as my gateway, and this workstation
> > connected to it via a small hub. Down the botton right hand corner near the
> > clock is the network connection icon which lights up when data is being
> > transmitted. As I watch now, it is lighting up for about ten seconds
> > sending about 5 - 10 packets per second. I can also hear the hard drive
> > heads moving. Looking across the room at the modem, the transmit light is
> > almost continuosly on, with the receive flashing on the rare occasion. The
> > strange thing is that I haven't used the web browser for about an hour, and
> > the e-mail program doesn't automatically check for mail, I don't run icq
> > and msn messenger is turned off. So without my consent XP is transmitting
> > something, oh yeah, unless it's in the terms and conditions, smart one
> > Microsoft.
> >
> > I disable the Network interface in XP and it stops, of course, when I turn
> > it back on again the transmissions start again.
> >
> > Call me paraniod, but this workstation is sending out something, somewhere
> > on the web.
> >
> > Does anyone know what's going on with XP other than the usual rumours ?
> >
> > At the time of writing this, I was made aware that I may have been infected
> > with the Nimba virus, I have only used this machine on the web for about 4
> > hours. My current virus scanner is Norton 2001, which I have been told
> > won't work with XP, apparently I need Norton 2002. For this reason I don't
> > have a virus scanner loaded. So much for XP's firewall doing the job.
> >
> > Does anyone know the registry keys to look at to verify if it is in fact
> > the Nimba virus ?
> >
> > Wayne
> >
> > --
> > LinuxSA WWW: http://www.linuxsa dot org dot au/  IRC: #linuxsa on irc.linux dot org dot au
> > To unsubscribe from the LinuxSA list:
> >   mail linuxsa-requestatlinuxsa dot org dot au with "unsubscribe" as the subject
>
> --
> LinuxSA WWW: http://www.linuxsa dot org dot au/  IRC: #linuxsa on irc.linux dot org dot au
> To unsubscribe from the LinuxSA list:
>   mail linuxsa-requestatlinuxsa dot org dot au with "unsubscribe" as the subject
