quote:

---

Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole in it.
The loophole is being exploited to open a backdoor on a PC that could let criminals take control of a machine.

The threat of infection is so high because the code created to exploit the loophole has somehow been placed on many popular websites.

Experts say the list of compromised sites involves banks, auction and price comparison firms and is growing fast.

Serious problem

The net watchdog, the US Computer Emergency Reponse Center (Cert), and the net security monitor, the Internet Storm Center, have both issued warnings about the combined threat of compromised websites and browser loophole.

Cert said: "Users should be aware that any website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."

In its round-up of the threat the Internet Storm Center bluntly stated that users should if possible "use a browser other then MS Internet Explorer until the current vulnerabilities in MSIE are patched."

CHECKING FOR INFECTION
Click the Start button and then click on Search
Make sure you choose the option to look through all files and folders
Search for files called Kk32.dll and Surf.dat
If infected use up to date anti-virus software to remove the malicious code

Security programme manager at Microsoft's security response centre, Stephen Toulouse, told BBC News Online: "When threats happen, we mobilise instantly.

"We post warnings, which we did last night, and tell customers what the issue is, whether they are affected, what steps they can take to prevent it."

He said Microsoft was aware that operating systems had vulnerabilities, but added that it was an industry-wide problem.

Mr Toulouse advised users to set their internet security zone to high and to run good anti-virus software.

It is unclear how the malicious code that exploits the weakness in Microsoft's Internet Explorer has been inserted on popular websites.

What is known is that any Windows 2000 Server that does not have the MS04-011 security update installed and is running Internet Information Server could be at risk.

The virulent Sasser worm exploited loopholes closed by this update so many servers are likely to be patched against the problem.

Infected servers are adding a malicious chunk of Javascript to all the web, gif and jpg files served up to anyone browsing the sites they host.

When loading on a browsing PC, this chunk of code might trigger a Windows error message.

Once downloaded the code redirects a browser to a Russian website which tries to install a program that opens a backdoor into the PC.

Some net service firms have started blocking access to this Russian site.

Check for infection

Anti-virus firms are now working on putting detectors for the chunk of code in to their scanning software.


A Russian website is spreading the malicious code
Security firm Symantec said the malicious code was not widespread and did little damage.

The reason that the server/browser combination has been created remains a mystery.

Some speculate that it is the work of spammers looking to create yet another network of compliant PCs that can be used as proxies to spread junk mail.

Microsoft has issued advice to consumers and web administrators about dealing with the problem.

So far the server/browser combination has not been given a single name. In its warning about the problem Microsoft calls it download.ject but others, such as F-Secure, are calling it Scob.

---

quote:

---

What You Should Know About Download.Ject

What You Should Know About Download.Ject
Published: June 24, 2004 | Updated June 25, 2004 8:35 P.M. Pacific Time

Get this information in additional languages

Microsoft teams are investigating a report of a security issue known as Download.Ject affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. (Download.Ject is also known as: JS.Scob.Trojan, Scob, and JS.Toofeer.)

Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk.

Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.

How to Help Protect Your Systems

System administrators. System administrators should follow the steps outlined in Knowledge Base Article 871277 to apply update 835732 and take any recovery steps that may be necessary.

Enterprise customers. Enterprise customers can minimize risk by increasing the security of the Local Machine Zone in Internet Explorer.

Home users. Use the following steps to update your computer, remove any infection, and increase your browsing and e-mail safety settings.


Actions for Home Users


1.
Install Critical Updates

Visit the Windows Update Web site to install all critical updates.

2.
Check for Infection

To determine if the malicious code is on your computer, search for the following files:

Kk32.dll
Surf.dat

Steps for Windows XP users:

On the taskbar at the bottom of your screen, click Start, and then click Search.
Under What do you want to search for? click All files and folders.
Under All or part of the file name:
type: Kk32.dll
and then click the Search button.
Under All or part of the file name:
type: Surf.dat
and then click the Search button.

If either of these files is present, your computer may be infected. You can find tools to clean your computer and obtain up-to-date antivirus protection from the following software vendors participating in the Microsoft Virus Information Alliance:

Symantec
F-Secure
Computer Associates


3.
Increase Your Browsing and E-Mail Safety

Follow the steps outlined on the page to Increase Your Browsing and E-Mail Safety.






Learn How to Protect Your PC

To help protect your computer against a wide variety of security threats, see Protect Your PC.

---

quote:

---

Originally posted by itdincor:
One more reason to be glad I use Opera 7 as a browser, and Eudora as an EMail client. I recommend them both to everyone. Microsoft truly seems a bit more shakey with each passing week, doesn't it?. John Dvorak as always has a good news/bad news opinion on MS vs open source, where he feels that eventually all this will be to our benefit. Eventually. We'll see.

http://www.pcmag.com/article2/0,1759,1615422,00.asp

---