The Download.Ject Trojan and the MS04-011 Patch

The airwaves are full of the latest hacker exploit, known as Download.Ject, JS.Scob.Trojan, and several other names. This Trojan horse plants a script on unsuspecting Microsoft Internet Information Services (IIS) 5.0 Web sites that, when executed by Windows XP and Windows 2000 systems, redirects the browser to a Web site that purportedly (according to the lay press) might scavenge the local system for personal information including credit card numbers. According to Symantec, on an IIS server, the Trojan places an ads.vbs file into the current IIS directory; places three files into %system%inetsrviisxxx.dll, where xxx are hex digits; modifies the IIS configuration to use one of the iisxxx.dll files as the default document footer; and runs a java script on a Web site at 217.107.218.147. After the script runs, the Trojan places at least two files (kk32.dll and surf.dat) on the local system and leaves a cookie that starts with the string trk716; the cookie expires in 1 week. To quickly check whether a system has been compromised, scan your hard disks for kk32.dll and surf.dat. If you find either or both files, follow your virus vendor’s instructions to remove all traces. Visit http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html to read Symantec’s summary of JS.Scob. According to the Microsoft Security Bulletin MS04-011 (What You Should Know About Download.Ject) at http://www.microsoft.com/security/incident/download_ject.mspx) the Trojan leverages a known security vulnerability that hotfix MS04-011 eliminates. For more information about the Trojan, see the Microsoft article "MS04-011: Security Update for Microsoft Windows" (http://support.Microsoft.com/?kbid=835732).

Known Issues with MS04-011
A quick scan of the Microsoft Knowledge base just 2 days after Microsoft published information about the Download.Ject Trojan indicates that the MS04-011hotfix introduces new problems on the four platforms for which it's available. If you haven't installed this update, you should do so immediately but be aware that this hotfix might introduce as many as eight new problems, some of which are severe. If you're running Oracle on Windows Server 2003 or Windows 2000, figure out how to manually start the database service before you apply MS04-011. The problems are:
•Windows 2003—The Oracle database service hangs on startup; EMF image files created in Adobe Illustrator don't display correctly in many native utilities, including Microsoft Internet Explorer (IE) and Windows Explorer, plus Microsoft Office.
•Windows XP— EMF image files created in Adobe Illustrator don't display correctly in many native utilities.
•Win2K—The Oracle database service hangs on startup; EMF image files created in Adobe Illustrator don't display correctly in many native utilities; a system hang prevents you from logging on; Homedrive, Homepath, and Homeshare environment variables might not work as expected; domain controllers (DCs) don't register critical Global Catalog (GC) and Kerberos DNS names at startup; the system can't connect to a Server Message Block (SMB)/Common Internet File System (CIFS) server; a Plug and Play (PnP) manager bug significantly lengthens the time before the desktop appears after you log on; and you can't display Adobe EMF images.
•NT—multiprocessor systems might crash with a stop code of 0x00000079.

Fixing the Hotfix
Here's how to fix the hotfix problems:
•Oracle service failure (manual solution). There are two ways to correct the Oracle service startup failure. You can manually start the service after the system starts (grossly inconvenient on production systems), or you can write a script that uses two Windows 2003 resource kit utilities and starts the service manually when the system boots (almost as inconvenient). These techniques are documented in the Microsoft article "Oracle database service startup process stops responding" (http://support.microsoft.com/?kbid=841180).
•EMF images (system patch)—Microsoft has released a hotfix that correctly displays EMF image files created in Adobe Illustrator on XP and Win2K. The hotfix updates two files, gdi32.dll and mf3216.dll, both of which have a file release date of April 26. The hotfix is available only from Microsoft Product Support Services (PSS); when you call, cite the Microsoft article "You cannot view enhanced metafile format graphics files (or EMF image files) that were created in Adobe Illustrator" (http://support.microsoft.com/?kbid=840997) as a reference.
•Win2K system hang (system patch)—The security fix causes Win2K to repeatedly attempt to load three specific drivers—Ipsecw32k.sys, imcide.sys, and dlttape.sys—even when the driver install fails. If you've implemented IP Security (IPSec) policies, you might see this problem. Likewise, this problem might affect systems on which a dlttape backup device is installed. The hotfix for this problem is extensive and available only from Microsoft PSS. See the Microsoft article "Your Windows 2000-based computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent" (http://support.microsoft.com/?kbid=841382) for a list of affected files and installation instructions.
•Environment variables (manual solution)—Follow the rules and use Group Policy or each user’s Windows Terminal Services profile to define home drives and directories.
•DCs (system patch)—When a DC fails to register key GC and Kerberos DNS names, users in child domains are unable to access network resources and child domain trusts stop working. Microsoft PSS has a hotfix that corrects this nasty bug; the hotfix updates many files, most of which have a file release date of March 24. When you call, cite the Microsoft article "The Domain Controller does not register _GC, _KERBEROS, and _KPASSWD DNS entries when a Windows 2000 server starts" (http://support.microsoft.com/?kbid=841395) as a reference.
•SMB connectivity (system patch)—When SMB/CIFS connectivity doesn’t work and the MS04-011 patch is the culprit, the connection attempt reports “the network name cannot be found” and you should see warnings from MRxSmb with event ID 3034 in the System event log. The only way to restore SMB connections is to install the hotfix, another extensive list of updates that you’ll find documented in the article "You receive a 'The network name cannot be found' error message when you try to connect to a SMB/CIFS server" (http://support.microsoft.com/?kbid=841617).
•Slow desktop (system patch)—If, after you install MS04-011, you notice a long delay between when you log on and when the desktop appears, it could be the result of a timeout in the PnP manager. If this is the cause, you’ll see one or more messages in the System event log from the PnP manager with Event ID 256 and the text “Timed out sending notification of device interface change to window of program, service name, or GUID.” Microsoft has a patch that updates four kernel files and the mount manager, most of which have a file release date of May 21. When you call PSS, cite the article "Event ID 256 is logged in the system event log after you install the MS04-011 security update on a Windows 2000-based computer" http://support.microsoft.com/?kbid=842644 as a reference.
•NT (system patch)—The hotfix forgets to rename the multiprocessor kernel file ntoskrnl.exe during installation. The manual recovery procedure for this one has several steps, all of which are documented in the Microsoft article "STOP 0x00000079 error message appears on a Windows NT 4.0-based computer" (http://support.microsoft.com/?kbid=841384). In a nutshell, after you can access the system root, rename the current ntoskrnl file, copy the previous version to the system root, modify the setup.log file to indicate the system has multiple processors, and reboot. Next, you uninstall, then reinstall the MS04-011 hotfix.
I have to quash the urge to scream about distributing a security hotfix that wreaks so much havoc because it places network and security administrators between a rock and a hard place. If we don’t install the flawed code, IIS can be compromised, and if we do, we must monitor, diagnose, implement workarounds, and install as many as six additional patches on all affected systems. Somehow, this isn't my vision of quality control … what do you guys think?