ampage Tube Amps / Music Electronics	For current discussions, please visit Music Electronics Forum.

ampage archive

Vintage threads from the first ten years

LovSan virus

8/12/2003 6:05 PM
MBSetzer	LovSan virus Well this is the outbreak that was expected since Microsoft announced on July 16 the serious defect which has been present in all Windows versions since the time that DCOM was annexed onto Windows95. The defect supposedly discovered by the LSD group as it was documented on the Microsoft website when I was reading it on July 17. Most default installations of Windows are vulnerable to a DCOM attack which is what LovSan does, entering your computer without you having to open emails or even have a mail reader to begin with. Just being on the internet you can get this one. The software patches from Microsoft are expected to be effective, however since virtually all of the factory support for Windows95 has been withdrawn to the disadvantage of Microsoft's greatest customers, outstanding by omission is the lack of a security patch for Windows95 itself, the flagship of the 32bit operating systems. It could be worse, if more time had been allowed to pass before public release of the operating system defect, the technical support for the much more popular and still common Windows98 might have been completely withdrawn by then. Then it would have been legitimately permissible for the W98 customers to have been shafted and left without a security patch as well. Actually, since the defect this time is confined to DCOM (Distributed Component Object Model), and the purpose of the new DCOM in the late '90's is to allow your computer to execute code which is resident on a remote machine, or for a remote machine to execute code which is on your machine, you can do without DCOM completely in most cases. Some of the newer highly interactive applications might not have been possible without DCOM, but if you are still now using W98 or W95 for primarily personal computing it is quite likely that the DCOM originally installed by default on your machine has been there maintaining readiness the whole time without having been called upon yet. Unless it hears the call of LovSan, to which it will respond as if it were designed that way intentionally. There is a configuration utility for DCOM which has a number of versions. Dcm95cfg, dcomcnfg and a few variations like that IIRC. With this Microsoft utility you can enable or disable DCOM as well as select optional settings. The original dcomcnfg supposedly works on both W98 & W95, but interestingly was only included with W98 First Edition. It is not on the CD for W98SE users, who would have to download it separately from Microsoft. I remember quite well that there was worthwhile documentation and easily located downloads of dcomcnfg at the Microsoft website prior to July 16. It was also available at numerous third party sites as a free download. Since then the site has been virtually purged, and it also appears to have been Googlewashed from internet memory. Anyway, for anyone still on W95 or who may not want to depend on the new security patch for W98, you can disable DCOM quite simply in the registry: Start > Run > Regedit Then open the folders: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE You will see where it says EnableDCOM Y. Right click on that EnableDCOM, hit Modify, then change the value from Y to N. Hit OK then close the registry window and restart the computer. Of course if you NEED dcom for something this would not be ideal, in that case I expect the W98 security patch will work OK in W95. Microsoft might just not want to tell you so in case you might realize more value from your investment while they are not. Mike

8/12/2003 6:05 PM

MBSetzer

LovSan virus

Well this is the outbreak that was expected since Microsoft announced on July 16 the serious defect which has been present in all Windows versions since the time that DCOM was annexed onto Windows95.

The defect supposedly *discovered* by the LSD group as it was documented on the Microsoft website when I was reading it on July 17.

Most default installations of Windows are vulnerable to a *DCOM attack* which is what LovSan does, entering your computer without you having to open emails or even have a mail reader to begin with. Just being on the internet you can get this one.

The software patches from Microsoft are expected to be effective, however since virtually all of the factory support for Windows95 has been withdrawn to the disadvantage of Microsoft's greatest customers, outstanding by omission is the lack of a security patch for Windows95 itself, the flagship of the 32bit operating systems.

It could be worse, if more time had been allowed to pass before public release of the operating system defect, the technical support for the much more popular and still common Windows98 might have been completely withdrawn by then. Then it would have been legitimately permissible for the W98 customers to have been shafted and left without a security patch as well.

Actually, since the defect this time is confined to DCOM (Distributed Component Object Model), and the purpose of the new DCOM in the late '90's is to allow your computer to execute code which is resident on a remote machine, or for a remote machine to execute code which is on your machine, you can do without DCOM completely in most cases. Some of the newer highly interactive applications might not have been possible without DCOM, but if you are still now using W98 or W95 for primarily personal computing it is quite likely that the DCOM originally installed by default on your machine has been there maintaining readiness the whole time without having been called upon yet. Unless it hears the call of LovSan, to which it will respond as if it were designed that way intentionally.

There is a configuration utility for DCOM which has a number of versions. Dcm95cfg, dcomcnfg and a few variations like that IIRC. With this Microsoft utility you can enable or disable DCOM as well as select optional settings. The original dcomcnfg supposedly works on both W98 & W95, but interestingly was only included with W98 First Edition. It is not on the CD for W98SE users, who would have to download it separately from Microsoft. I remember quite well that there was worthwhile documentation and easily located downloads of dcomcnfg at the Microsoft website prior to July 16. It was also available at numerous third party sites as a free download. Since then the site has been virtually purged, and it also appears to have been Googlewashed from internet memory.

Anyway, for anyone still on W95 or who may not want to depend on the new security patch for W98, you can disable DCOM quite simply in the registry:

Start > Run > Regedit
Then open the folders: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
You will see where it says EnableDCOM *Y*.
Right click on that EnableDCOM, hit Modify, then change the value from Y to N. Hit OK then close the registry window and restart the computer.

Of course if you NEED dcom for something this would not be ideal, in that case I expect the W98 security patch will work OK in W95. Microsoft might just not want to tell you so in case you might realize more value from your investment while they are not.

Mike

8/13/2003 4:10 AM
Glen H.	Thanks for the tip Mike! GH

8/13/2003 1:00 PM
Todd Hepler	Some links ... MB - Thanks for posting this info. I just spent a couple of days dealing with this virus, as well as Klez.h. You know if you have it when you start having an "RPC error" and your system automatically reboots. To remove LovSan, I used Stinger, available from : http://vil.nai.com/vil/content/v_100547.htm. The specific MS update to keep this problem from occurring in the future : http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en I installed the freebie version of ZoneAlarm firewall : http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1 And - Trend Micro has a pretty cool online virus scan tool at : http://housecall.trendmicro.com/housecall/start_corp.asp HTH someone! -Todd

8/13/2003 1:00 PM

Todd Hepler

Some links ...

MB -

Thanks for posting this info. I just spent a couple of days dealing with this virus, as well as Klez.h.

You know if you have it when you start having an "RPC error" and your system automatically reboots.

To remove LovSan, I used Stinger, available from : http://vil.nai.com/vil/content/v_100547.htm.

The specific MS update to keep this problem from occurring in the future : http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

I installed the freebie version of ZoneAlarm firewall : http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1

And - Trend Micro has a pretty cool online virus scan tool at : http://housecall.trendmicro.com/housecall/start_corp.asp

HTH someone!

-Todd

8/13/2003 3:17 PM
Major Pain	Re: Viruses and Hackers........ Thanks for the info Todd and MB. Its funny that last week I had to re-install XP and then install all the critical patches something like 40 of them. Well to get rid of the hacker or hacker that got in my PC originally I installed the Zone alarm and its funny how now I can finally see where the hackers are coming from. I see IPs trying to get in my PC from Asia and Europe. seems that Windows just leaves too many flaws to let these viruses and hackers in and thats pathetic I now am thinking about buying a MAC to see if these are better at not getting so many hackers and viruses. Any one up on MACs and how good they are???? Or maybe just going to Unix possibly???? M.P.

8/13/2003 3:17 PM

Major Pain

Re: Viruses and Hackers........

Thanks for the info Todd and MB.

Its funny that last week I had to re-install XP and then install all the critical patches something like 40 of them. Well to get rid of the hacker or hacker that got in my PC originally I installed the Zone alarm and its funny how now I can finally see where the hackers are coming from.

I see IPs trying to get in my PC from Asia and Europe.

seems that Windows just leaves too many flaws to let these viruses and hackers in and thats pathetic

I now am thinking about buying a MAC to see if these are better at not getting so many hackers and viruses.

Any one up on MACs and how good they are????
Or maybe just going to Unix possibly????

M.P.

8/13/2003 6:01 PM
John Culp	Of course, most of those IPs from Asia and Europe trying to hack into your PC are relays from folks who've hacked into someone else's computer and are using it as a base to hack into others. I'm a Mac user, primarily. Macs haven't been virus-free, but most of the Mac viruses have been benign things that beeped or put up a message on your screen. Only a few destructive ones. The majority of the bad stuff is macro viruses for Microsoft applications. There have been some Trojan programs that open the Mac up to backdoor attacks or remote control, but they require the user to open something. I haven't heard of anything like this in quite a while. The crackers spend their energy primarily on PCs because there are so many of them, and they're so easy to target. The old classic Mac OS doesn't come with any open ports to hack into by default. You have to be running software that opens one. I'm not familiar with the under-the-hood aspects of the current OS X, which is BSD Unix. It has a Mac-like interface (derived from NextStep) running as a shell over the Unix, with an emulator to run the Classic Mac OS for compatiblity with earlier software. If you know the Unix stuff you can open a console window and do most anything that you could with any Unix box. Most Unix utilities that aren't included in the basic OS have been ported over to it, I hear.

8/13/2003 6:01 PM

John Culp

Of course, most of those IPs from Asia and Europe trying to hack into your PC are relays from folks who've hacked into someone else's computer and are using it as a base to hack into others.

I'm a Mac user, primarily. Macs haven't been virus-free, but most of the Mac viruses have been benign things that beeped or put up a message on your screen. Only a few destructive ones. The majority of the bad stuff is macro viruses for Microsoft applications. There have been some Trojan programs that open the Mac up to backdoor attacks or remote control, but they require the user to open something. I haven't heard of anything like this in quite a while. The crackers spend their energy primarily on PCs because there are so many of them, and they're so easy to target.

The old classic Mac OS doesn't come with any open ports to hack into by default. You have to be running software that opens one. I'm not familiar with the under-the-hood aspects of the current OS X, which is BSD Unix. It has a Mac-like interface (derived from NextStep) running as a shell over the Unix, with an emulator to run the Classic Mac OS for compatiblity with earlier software. If you know the Unix stuff you can open a console window and do most anything that you could with any Unix box. Most Unix utilities that aren't included in the basic OS have been ported over to it, I hear.

Page 1 of 1