Korgo Virus

We had two days of the LAN being down this week with the Win32.Korgo.I
virus.
It has similar behaviour to the Sasser that we spent a whole day on
'fixing'. We had Microsoft Auto-updates turned of for some reason - MS04-011
patch would have stopped it, but it wasn't on all our machines.
It most likely got in via a laptop that was on the net while outside our
firewall and then brought it in.
We are updating all our laptops to XP and using it's firewall - better that
nothing.

Any suggestions on good laptop policy regarding security - I know that might
seem a silly question, but we have been using NT4 and 2000 on our laptops
with good updated virus protection forever, long before I came here, even
though I knew the lack of a software firewall was a risk and brought the
issue up a few times.
--

Regards,

Slarty Bartfast

JaR
Wed Jun 23 18:15:19 CDT 2004

Slarty Bartfast wrote:
>
> Any suggestions on good laptop policy regarding security - I know that might
> seem a silly question, but we have been using NT4 and 2000 on our laptops
> with good updated virus protection forever, long before I came here, even
> though I knew the lack of a software firewall was a risk and brought the
> issue up a few times.
>

Sure, make certain the disk drives, modem and network cards are removed
before leaving the site.

Seriously, all you can do is make sure they've got a good software
firewall operational, and that the luse^H^H^H^Hemployee has been beaten
about the head and shouders with a clue-stick until a reasonable amount
has penetrated.

But when all is said and done, it's kinda like giving the kid the keys
to the family car on a friday night. You hope and pray that he/she has
enough sense not to get careless and pile it up, but they're gonna do it
anyway.

JaR
Cynical Thug

Neil
Wed Jun 23 20:13:52 CDT 2004

JaR <plentespam@nospamsofthome.net> wrote in news:uJMIzfXWEHA.712
@TK2MSFTNGP11.phx.gbl:

> But when all is said and done, it's kinda like giving the kid the keys
> to the family car on a friday night. You hope and pray that he/she has
> enough sense not to get careless and pile it up, but they're gonna do
it
> anyway.
>

LMHO! this isn't just laptop lusers. Our corp was forced to open up
access to the desktop for a "mission critical" (*cough*) application. Now
I hope and pray that the gentle creatures that roam my domain will avert
their eyes from the happy smiling offer of 5000 smiley faces for free or
some such. they never do. and not long after we are running spybot
s&d/adaware (not part standard image)or reimaging the box.

I'm sure they are also distracted by anything shiny...

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Wed Jun 23 20:20:53 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in news:#d9WVRXWEHA.1128
@TK2MSFTNGP10.phx.gbl:

> Any suggestions on good laptop policy regarding security

I guess "don't let them have one" is out of the question. too bad.

If we give out a laptop we also find out if the user has high speed
access at home. if they do we break open the piggy bank and buy them a
cheap Linksys firewall. helps a little. if you have AD you should also
consider SUS (or is it WUS now) and setting a bunch of GPO settings.

that being said we do all this and still managed to get a new flavour of
GOABOT recently that we had to work with Symantec on as it was new to
them and not in the most recent def...

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

fygar
Thu Jun 24 08:43:42 CDT 2004

On Thu, 24 Jun 2004 08:50:34 +1000, "Slarty Bartfast"
<Slarty@Bartfast.com> wrote:

>We had two days of the LAN being down this week with the Win32.Korgo.I
>virus.
>It has similar behaviour to the Sasser that we spent a whole day on
>'fixing'. We had Microsoft Auto-updates turned of for some reason - MS04-011
>patch would have stopped it, but it wasn't on all our machines.
>It most likely got in via a laptop that was on the net while outside our
>firewall and then brought it in.
>We are updating all our laptops to XP and using it's firewall - better that
>nothing.
>
>Any suggestions on good laptop policy regarding security - I know that might
>seem a silly question, but we have been using NT4 and 2000 on our laptops
>with good updated virus protection forever, long before I came here, even
>though I knew the lack of a software firewall was a risk and brought the
>issue up a few times.

Run MSBA to find all lagging machines.
Patch.
Set up SUS.
Set up a managed Antivirus.
Find a firewall product if not using XP.
Keep users out of Administrators group.
Keep users out of Administrators group.
Keep users out of Administrators group.
Keep users out of Administrators group.
***Do not give access to email w/o using VPN. (This forces the
occasional connection so the systems will check for updates)

Remove batteries and power cords

...butch

Neil
Thu Jun 24 08:49:34 CDT 2004

fygar <cpudoc10@hotmail.com> wrote in
news:16mld01kv2jhtt550c4at47l8c3v96kc4j@4ax.com:

> Keep users out of Administrators group.
> Keep users out of Administrators group.
> Keep users out of Administrators group.
> Keep users out of Administrators group.

Butch, you're stuttering...

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Thu Jun 24 08:49:46 CDT 2004

fygar <cpudoc10@hotmail.com> wrote in
news:16mld01kv2jhtt550c4at47l8c3v96kc4j@4ax.com:

> Remove batteries and power cords

the best

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

fygar
Thu Jun 24 09:12:20 CDT 2004

On Thu, 24 Jun 2004 06:49:34 -0700, Neil <neilmcse@nospamforyou.com>
wrote:

>fygar <cpudoc10@hotmail.com> wrote in
>news:16mld01kv2jhtt550c4at47l8c3v96kc4j@4ax.com:
>
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>
>Butch, you're stuttering...

I've seen people that are supposed to be our peers solve problems that
way so many times that I feel like a broken record every time I have
to deal with it.

I had a small company call me in because their regular consulting firm
couldn't get to this request for a few more days. They wanted a web
based application opened up to the Internet so thier remote employees
could access it. Easy enough, I'll take a look. All the users were
domain admins and there were no passwords on the application (not AD
integrated) I backed away slowly and told them to call me when they
fixed the problems, otherwise I wasn't poking any holes in the
firewall.

These people are paying a lot of money to that consulting firm too.

....b

Neil
Thu Jun 24 09:21:28 CDT 2004

fygar <cpudoc10@hotmail.com> wrote in
news:tmnld01u4o3v5jukhrr5qdm70isu9b8n2c@4ax.com:

> I backed away slowly and told them to call me when they
> fixed the problems, otherwise I wasn't poking any holes in the
> firewall.
>

*shudder*
mommy, that man over there is scaring me....

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Vigo
Thu Jun 24 10:25:51 CDT 2004

fygar <cpudoc10@hotmail.com> wrote in
news:tmnld01u4o3v5jukhrr5qdm70isu9b8n2c@4ax.com:

> I've seen people that are supposed to be our peers solve problems that
> way so many times that I feel like a broken record every time I have
> to deal with it.

Ah yes, like the time the Dot Communists insisted I had to change the
service account for a web application to an administrator level one, as it
absolutely wouldn't work otherwise - it wouldn't work because they had
hard-coded names of administrative shares into some of the file paths. Or
how I had to grant that same account SA privileges to the SQL Servers,
because it was "too confusing" to have to owner-qualify some table names...


--
http://www.vigo-alessi.com/images/products/1362.jpg

Jtyc
Thu Jun 24 10:29:19 CDT 2004

> Ah yes, like the time the Dot Communists insisted I had to change the
> service account for a web application to an administrator level one, as it
> absolutely wouldn't work otherwise - it wouldn't work because they had
> hard-coded names of administrative shares into some of the file paths. Or
> how I had to grant that same account SA privileges to the SQL Servers,
> because it was "too confusing" to have to owner-qualify some table
names...


My biggest headache day in day out is crappy programmers.

billLASTINIT
Thu Jun 24 10:33:18 CDT 2004

Jtyc wrote:
>> Ah yes, like the time the Dot Communists insisted I had to change the
>> service account for a web application to an administrator level one,
>> as it absolutely wouldn't work otherwise - it wouldn't work because
>> they had hard-coded names of administrative shares into some of the
>> file paths. Or how I had to grant that same account SA privileges
>> to the SQL Servers, because it was "too confusing" to have to
>> owner-qualify some table names...
>
>
> My biggest headache day in day out is crappy programmers.

On behalf of crappy programmers everywhere, I apologize.

--
Fris "HAHAHAHAHAHAH" bee®, MCNGP #13

The MCNGP Team - We're here to help!
http://www.mcngp.tk

Certaholics
http://groups.yahoo.com/group/certaholics

Vigo
Thu Jun 24 10:37:38 CDT 2004

"Jtyc" <jtyc_mcngp@spamblockerbitch!@yahoo.com> wrote in
news:#6oWFAgWEHA.3716@TK2MSFTNGP11.phx.gbl:

> My biggest headache day in day out is crappy programmers.

If your programmers were crap, the Dot Commies were a sewage plant.

I had the added frisson of Nosferatu's vampiric sleeping habits (i.e., he
mostly didn't) combined with the time offset for Cheapistan. They got six
whole hours to complain that it was "system traubles." Five minutes' of my
scalding regard during the daily production meetings cleared up that it
was, in fact, almost always software traubles, but the damage to my
reputation was long since done.


--
http://www.vigo-alessi.com/images/products/1362.jpg

Keyboard
Thu Jun 24 12:07:41 CDT 2004


>On behalf of crappy programmers everywhere, I apologize.
>
>--=20
>Fris "HAHAHAHAHAHAH" bee=AE, MCNGP #13
>


Hey, are you a member of the crappy programmers guild too?

kpg
Thu Jun 24 12:24:17 CDT 2004


"Keyboard Cowboy" <thekeyboardcowboy@nospam.cybersolutionz.com> wrote in
message news:20a0e01c45a0d$c2460560$a601280a@phx.gbl...
# Name resolution details: file://c:\temp\131943.htm (6/24/2004 12:23:51 PM)
#

>On behalf of crappy programmers everywhere, I apologize.
>
>--
>Fris "HAHAHAHAHAHAH" bee®, MCNGP #13
>


>Hey, are you a member of the crappy programmers guild too?

the best

Spyke
Thu Jun 24 12:42:25 CDT 2004

"kpg" <ipost@thereforeiam.com> wrote in
news:OZGJoAhWEHA.1128@TK2MSFTNGP10.phx.gbl:

>
> "Keyboard Cowboy" <thekeyboardcowboy@nospam.cybersolutionz.com> wrote
> in message news:20a0e01c45a0d$c2460560$a601280a@phx.gbl...
> # Name resolution details: file://c:\temp\131943.htm (6/24/2004
> 12:23:51 PM) #
>
>>On behalf of crappy programmers everywhere, I apologize.
>>
>>--
>>Fris "HAHAHAHAHAHAH" bee®, MCNGP #13
>>
>
>
>>Hey, are you a member of the crappy programmers guild too?
>
> the best
>
>
>

with updates

--

Cheers,
Spyke

TechGeekPro
Thu Jun 24 13:06:57 CDT 2004

"fygar" <cpudoc10@hotmail.com> wrote in message
news:16mld01kv2jhtt550c4at47l8c3v96kc4j@4ax.com...
> On Thu, 24 Jun 2004 08:50:34 +1000, "Slarty Bartfast"
> <Slarty@Bartfast.com> wrote:
>
> >We had two days of the LAN being down this week with the Win32.Korgo.I
> >virus.
> >It has similar behaviour to the Sasser that we spent a whole day on
> >'fixing'. We had Microsoft Auto-updates turned of for some reason -
MS04-011
> >patch would have stopped it, but it wasn't on all our machines.
> >It most likely got in via a laptop that was on the net while outside our
> >firewall and then brought it in.
> >We are updating all our laptops to XP and using it's firewall - better
that
> >nothing.
> >
> >Any suggestions on good laptop policy regarding security - I know that
might
> >seem a silly question, but we have been using NT4 and 2000 on our laptops
> >with good updated virus protection forever, long before I came here, even
> >though I knew the lack of a software firewall was a risk and brought the
> >issue up a few times.
>
> Run MSBA to find all lagging machines.
> Patch.
> Set up SUS.
> Set up a managed Antivirus.
> Find a firewall product if not using XP.
> Keep users out of Administrators group.
> Keep users out of Administrators group.
> Keep users out of Administrators group.
> Keep users out of Administrators group.
> ***Do not give access to email w/o using VPN. (This forces the
> occasional connection so the systems will check for updates)
>
> Remove batteries and power cords
>
> ...butch

Yeah, but shouldn't you also keep users out of Administrators group?

--
I may not be completely certified, but I am completely certifiable.

fygar
Thu Jun 24 13:14:17 CDT 2004

On Thu, 24 Jun 2004 14:07:14 -0400, "TechGeekPro"
<%username%@yahoo.com> wrote:

>"fygar" <cpudoc10@hotmail.com> wrote in message
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>> Keep users out of Administrators group.
>> ***Do not give access to email w/o using VPN. (This forces the
>> occasional connection so the systems will check for updates)
>>
>> Remove batteries and power cords
>>
>> ...butch
>
>Yeah, but shouldn't you also keep users out of Administrators group?

I'll add that to the list.

...b

Ken
Thu Jun 24 13:16:14 CDT 2004

"TechGeekPro" <%username%@yahoo.com> wrote in message
news:y76dnXrA5t3chUbd4p2dnA@adelphia.com...
>
> Yeah, but shouldn't you also keep users out of Administrators group?

I had to stick users in local admin groups the other day. we have a dumbass
printer whose software won't allow users to print to a mailbox unless they
have administrative rights. so, since i'm not the one running the show, i'm
merely a lackey, i was instructed to add EVERYONE to their local admin
group. I protested, but only briefly, as I realized that this is job
security. Doing this will virtually guarantee me a job in a couple months
when things backfire and a sh!tstorm of spyware, viruses, and nosy users
ensues. But I guess, for now, everyone's happy because they can all print.
Whatever. But I can feel it...the big one's coming. I know I'm going to be
told to give some luser domain admin access, by either giving him one of the
admin usernames/passwords or by dropping him/her into domain admins. I can
feel it. I'm going to cringe. I'm going to vomit. I'm going to probably pass
out. Oh well.

--

KB - MCNGP "silent thug" #26

first initial last name AT hotmail DOT com

TechGeekPro
Thu Jun 24 13:20:38 CDT 2004

"fygar" <cpudoc10@hotmail.com> wrote in message
news:se6md0h2pgbc49udd71l6ndqruact9l0rj@4ax.com...
> On Thu, 24 Jun 2004 14:07:14 -0400, "TechGeekPro"
> <%username%@yahoo.com> wrote:
>
> >"fygar" <cpudoc10@hotmail.com> wrote in message
> >> Keep users out of Administrators group.
> >> Keep users out of Administrators group.
> >> Keep users out of Administrators group.
> >> Keep users out of Administrators group.
> >> ***Do not give access to email w/o using VPN. (This forces the
> >> occasional connection so the systems will check for updates)
> >>
> >> Remove batteries and power cords
> >>
> >> ...butch
> >
> >Yeah, but shouldn't you also keep users out of Administrators group?
>
> I'll add that to the list.
>
> ...b

Glad to help. ;-)

--
I may not be completely certified, but I am completely certifiable.

Neil
Thu Jun 24 13:36:41 CDT 2004

"kpg" <ipost@thereforeiam.com> wrote in news:OZGJoAhWEHA.1128
@TK2MSFTNGP10.phx.gbl:

>>Hey, are you a member of the crappy programmers guild too?
>
> the best

no, no kpg. you are a member of the krappy programmers guild...
;)

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Thu Jun 24 13:37:00 CDT 2004

Spyke <spyke@mailinator.com> wrote in
news:Xns95128B6F95090spykemailinator.com@207.46.248.16:

>> the best
>>
>>
>>
>
> with updates

it is real

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Thu Jun 24 13:38:58 CDT 2004

"Ken Briscoe" <youcant@sendmespam.com> wrote in news:elE8NdhWEHA.1684
@tk2msftngp13.phx.gbl:

> I'm going to cringe. I'm going to vomit.

do it on the luser and then you can take the day off and postpone the
inevitable

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Slarty
Thu Jun 24 18:08:27 CDT 2004

Thanks Fygar, your post was very helpful. I will look at SUS.
Regarding VPN and Admin Group, I've asked, but they won't touch VPN here.
And everyone is a Local Admin. I have pointed out some problems with this,
not least of which that anyone can map to the Administrative Shares of
anyone else.

--

Regards,

Slarty Bartfast

nerd32768
Thu Jun 24 18:23:54 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in message
news:eRTr$$jWEHA.712@TK2MSFTNGP11.phx.gbl...
> Thanks Fygar, your post was very helpful. I will look at SUS.
> Regarding VPN and Admin Group, I've asked, but they won't touch VPN here.
> And everyone is a Local Admin. I have pointed out some problems with this,
> not least of which that anyone can map to the Administrative Shares of
> anyone else.
>
> --
>
> Regards,
>
> Slarty Bartfast
>

if you need help with SUS, you can always go to
"microsoft.public.softwareupdateservices"

Slarty
Thu Jun 24 18:42:57 CDT 2004

Thanks Nerd, I'll go there now and have a look.

--

Regards,

Slarty Bartfast

Neil
Thu Jun 24 18:52:40 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in news:eRTr$$jWEHA.712
@TK2MSFTNGP11.phx.gbl:

> And everyone is a Local Admin.

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Thu Jun 24 18:53:37 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in news:OoclRTkWEHA.3012
@tk2msftngp13.phx.gbl:

> Thanks Nerd, I'll go there now and have a look.
>
> --
>
> Regards,
>
> Slarty Bartfast
>
>

or www.susserver.com

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Slarty
Thu Jun 24 22:58:18 CDT 2004

why...

--

Regards,

Slarty Bartfast
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns9512CA0A95DE0neilmcsehotmailcom@207.46.248.16...
> "Slarty Bartfast" <Slarty@Bartfast.com> wrote in news:eRTr$$jWEHA.712
> @TK2MSFTNGP11.phx.gbl:
>
> > And everyone is a Local Admin.
>
> NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!
>
> --
> Neil MCNGP #30
> "you'd do what, to who, for how many biscuits?"

Neil
Fri Jun 25 07:47:15 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in news:OIO59hmWEHA.2576
@TK2MSFTNGP10.phx.gbl:

>
> why...

*walking away*
"you can call it job security then...

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Ken
Fri Jun 25 08:12:38 CDT 2004

"Slarty Bartfast" <Slarty@Bartfast.com> wrote in message
news:eRTr$$jWEHA.712@TK2MSFTNGP11.phx.gbl...
>
> And everyone is a Local Admin.

I feel your pain brotha.

--

KB - MCNGP "silent thug" #26

first initial last name AT hotmail DOT com

Doom
Fri Jun 25 11:26:41 CDT 2004


"Vigo Breadcrumbs" <vigo@breadcrumbbs.com> wrote in message
news:6zCCc.145531$Ol3.140574@twister.tampabay.rr.com...
> "Jtyc" <jtyc_mcngp@spamblockerbitch!@yahoo.com> wrote in
> news:#6oWFAgWEHA.3716@TK2MSFTNGP11.phx.gbl:
>
>
> I had the added frisson of Nosferatu's vampiric sleeping habits (i.e., he
> mostly didn't) combined with the time offset for Cheapistan.

Vigo that is just too damn funny.