So I got a new laptop yesterday … A HP Pavilion zd7160us … It comes with XP Home, and, well, who the heck wants to run that? So, I blow away the heavily overloaded full featured system and wouldn’t you know it … While installing the new system, I am hit by an exploit … Once I had the machine semi-configured where I would use it, I notice that it’s trying to contact all these other machines on port 445 … So, even after installing firewalls and all the Windows Update stuff, it’s still doing it, and on boot, it’s trying to access port 445 on a local machine on the network here that it has no business trying to connect to … At times the machine would hang, etc … So, I go to Symantec, and lo and behold, there it is; W32.Korgo.L is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports (256-8191). Found YESTERDAY! I read the removal instructions, etc … and to me that’s a hassle … What if I miss something? What if it doesn’t completely remove stuff and since I updated with the thing active, maybe other symptoms will come of it … No! I want a clean system fully patched and ready to go to hit the ‘net … So I pop in the install disk and begin again, although this time I unplugged the network cable … I’ll get a firewall going before I connect the cable … This has never happened to me before … getting pounced on before I got a chance t put all the protection in place … It sure is frustrating, or … disheartening that this goes on …
This happened to me as well when I was installing Win2K3 Server. During the installation it happened. Of course I should have known better than to set it up connected to the ‘Net outside the firewall. The OS you install has no patches so it makes sense you need to be behind the firewall when installing. I figured that the beta of Win2K3 would have been patch free but that was not the case :-/
I have been reading through some of my old posts today, and this is one which actually had a comment left for it, so I will comment on the comment in true Dave fashion. This only ever happened with a Windows install … No other OS install has exploitable software running until you choose to install that exploitable software … You can install FreeBSD without fear and since Apple’s OS X is *BSD, that goes for Macs as well. Linux has become a gray area depending on the distro … Some Linux distros have gotten too “user friendly” and this has become the problem. User friendly usually means that people that don’t know what they’re doing can get something working, well, wrong.