W2Knews[tm] (the original NTools E-News) Electronic Newsletter Vol. 5, #21- May 8, 2000 Published by sunbelt-software.com since 1996 - ISSN: 1527-3407 'Immediate Notification Of Important Windows NT/2000 Events' ******************* over 600,000 SUBSCRIBERS***************** This Issue of W2Knews contains: 1. EDITORS CORNER: * Thank You For Your Feedback, Really. / FIRST WINNER of our Recommend a Friend & Win $500 Campaign 2. TECH BRIEFING: * Virus Protection too late? Try this BUG SWATTER, cause mutations are sure to follow! 3. NT RELATED NEWS: * Biometric Additions to Windows to Bolster Security * Results from Sunbelt/Giga Hardware Reliability Survey * Gartner Group Sez: Linux Not Taking Over World. 4. NT THIRD PARTY NEWS: BEEN INFECTED BY THE VIRUS ALREADY? NEED AN EXTERMINATOR? Here are some third party tools that have come to the rescue: * SCRIPTLOGIC cleans up the Morning After * LOVE KILLER by ECM V2.5 * FileScreen Blocks LoveBug 5. HINTS AND TIPS: PRACTICE SAFE EMAIL 6. THE NT/2000 STOCK WATCH - Thursday Friday 28, 2000 7. HOW TO USE THE MAILING LIST Instructions on how to subscribe, sign off or change your address. ******************** SPONSOR: NETIQ ************************** How will you monitor Active Directory? Ensure the replication, verification and day-to-day health of Active Directory with AppManager - the most trusted applications management solution for Window NT/2000. Find out why companies like Microsoft, NASDAQ & PlanetOutdoors.com chose AppManager to get a grip on centrally managing their Windows environments. For more AppManager info and a *FREE* white paper on monitoring Active Directory, visit: http://www.netiq.com/go.asp?ID=66 **********************WHAT IS W2Knews?*************************** Sunbelt W2Knews (the original NTools E-News) is the World's first and largest E-Newsletter designed for NT/2000 System Admins that have the job to get and keep NT up & running in a production environment. Sunbelt launched this electronic newsletter early 1996. Every week we keep the Windows NT/2000 community informed and aware of new developments of NT and 3-rd party System Management Tools. You get hints and tips that will enable you to better utilize and understand Win NT/2000 and help to pass your Certification Exams. Info and Stu's bio: http://www.sunbelt-software.com/w2knews.htm Via (separate) NTools E-NewsFlashes we will send you important breaking news like new service packs, killer viruses, etc. Sunbelt Software is the first and largest provider worldwide of Third Party System Management Tools for Windows NT. Tell Your Friends! All back issues are here, searchable and indexed on key words: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=nt-list&text_mode=0 ------------------------------------------------------------------- 1. "EDITORS CORNER" Hello NT/2000 Pros, Well, the Microsoft Breakup 'opinion piece' I sent was certainly the one with the highest amount of feedback EVER. I'd like to thank you all for your feedback, comments and viewpoints. It was fascinating to read all the different ways you are looking at this issue. I started with answering everyone personally, but the volume was just too much. -And- I had to write the newsletter you are now reading. Again, I really appreciate your feedback, whether you agree or if you told me I was nuts. I learned a lot! ---- Our first WINNER can now choose from a digital camera, a Palm, color printer, MP3 player, camcorder or any other cool gadget at Amazon.com. Our 'Word of Mouth' campaign is getting popular! How does it work? You fill out the form, we invite them, and when they subscribe, BOTH of you will be entered for the draw that week. Less than 1 minute work & repeat for more friends! CLICK & WIN AT: http://www.sunbelt-software.com/ This weeks winner is David Johns at qgraph. When we called him he was real happy! We order these online. This is how it looks, they get sent by EMAIL, so you have them right away. > Thank you for your Amazon.com gift certificate order! > Your order summary appears below. To see the latest > information about your order, please visit: > http://www.amazon.com/your-account > > ---------------------------------------------------- > Quantity: 1 > Amount: $ 500.00 > > Gift certificate(s): $ 500.00 > Shipping: free > Tax: $ 0 > ------- > TOTAL: $ 500.00 > > Will be sent to: [EMAIL PROTECTED] > Thank you for shopping at Amazon.com! Want one too? Go to our home page and recommend a friend! CLICK & WIN AT: http://www.sunbelt-software.com/ Warm regards, Stu. Email me with feedback at: [EMAIL PROTECTED] **************************SPONSOR***************************** Need to track the serial number and model of all your machines? Tired of paying extra because you can’t effectively track your leased equipment? Computing Edge Inventory +Solution gathers PC serial number and full end-user details, including location, which can be viewed from any web browser. Simple to deploy; zero footprint; report via the Internet/Intranet. Numerous W2K pre- deployment reports! Same great value with UNIX Inventory +Solution. Register to win a Compaq 18' flat screen monitor. Retail value: $3200. 30-day FREE trial! http://www.computingedge.com **************************************************************** 2. TECH BRIEFING: * Virus Protection too late? Try this BUG SWATTER, cause mutations are sure to follow! Well, the world is now a few days into a new rash of a mailvirus infection. Technically it uses 'worm-technology', but carries a nasty payload so it can be legitimately called a virus. More over, it was relatively easy to change the script, so a few copycat worm/viruses are already out there. Latest count is at least 5 or 8 by now. Small alterations make the email message look different, but execute an almost identical script. Worse, it is likely that similar variants are coming down the pike, using Widows Scripting host, Java scripts and/or HTML scripts. The mutated 'Mother's Day' that surfaced yesterday deletes all .ini and .bat files from local directories and drives, yikes!! By now, there is more known than on Thursday morning when I sent you the first warning. This script contains 5 attacks, and seems to have originated in Manilla. I was alerted to a site that shows the different parts of the script and what they do. I'm sure there are more sites but I thought this one did a good job explaining the script's evil ways: http://www.needguide.com/ NOT OPENING A LOVELETTER FROM SOME ONE YOU KNOW? So now, how to handle these kinds of things? Training your users to 'practice safe email' is not watertight. Despite repeated warnings from me personally to the whole staff even a week or two ago, two people still opened this thing up and infected the whole company anyway. I mean, you get a love letter from some one you know and you don't open it up? <grin>. Russ Cooper from the NTBUGTRAQ has two works on dealing with email and security that you could use to train users. http://ntbugtraq.ntadvice.com/safemail.asp and http://ntbugtraq.ntadvice.com/outlookviews.asp I quote Russ: "Neither are intended to be a complete solution. You should contact your support group and find out what, if anything, you need to do to ensure your anti-virus programs are up-to-date. I know that Symantec, Datafellows, and even NAI have updated definitions available for this latest wave. Regardless of how much you might think someone is going to send you a love letter, you should treat any anonymous email as you would a knock at your door at 3:00am in the morning" One of the problems is that often your virus protection software is too late. Things as nasty as this spread SO fast that it is logistically unlikely _all_ signature files of everyone can be updated in time. That means you still run the risk of getting hit, even though you have anti-virus software running. Now what? YOU'RE ON THE TITANIC AND YOU FEEL THE BOAT SINKING... All of you have your own personal network of contacts that give you early warnings you when these thing happen. Colleagues, users, discussion lists, friends on the Net, you name it. Often we are warned and know this thing is in the wild, but our anti-virus (AV) signatures are not there yet, your AV software cannot block any attachments, or you are desperately trying to get through to the website of your AV-vendor, but they are maxed out and you cannot get in. You're on the Titanic, you know the boat is sinking, you know there is help on the way but it's not here N O W... I have one more additional 'Bug Swatter' for you that complements your anti-virus solution. It's called MAIL ESSENTIALS. There are two key things this tool provides: 1) BLOCKS ALL EMAILS CONTAINING SCRIPTS AT THE EMAIL SERVER LEVEL. You may perhaps get some false alarms that way, but it's better to be safe than sorry. Works well with Exchange but also SMTP. 2) YOU can enter a search string IMMEDIATELY that filters the critters out before they even come in your mail servers and AV software to begin with. So you could enter the specific 'lovebug' words and anything that contains this is prevented entry. That way you don't have to shut down your Exchange IMS (Internet Mail Service) and normal bizz operations continue, saving extremely costly downtime. THINK SUPER LOW COST 'EMAIL FIREWALL' MAIL ESSENTIALS is a 'content checking gateway' that you install as it were 'before' your mail servers. AV-tools work by letting all emails IN, and then try to disable them. Content Checking gateways prevent entry in the first place, and stops all messages that could be dangerous. It's not a virus protection tool, but it can integrate with one. Better to think: 'Email Firewall'. With MailEssentials, blocking this virus is easy: Just set Mail Essentials to block VBS attachments in the Content Checking tab. This will block any incoming/outgoing infected mail. This way, the Mail Essentials resolution will block all viruses of this kind, as it will quarantine any attachments using a VB script. This means that Mail Eessentials will also catch any variants of the Love Letter virus using VB script. Even if you do not plan to buy it, I suggest you download the free 30-day eval from our High Speed FTP server and cover your behind asap. I decided to give you all the pricing right away so you can get approval from management immediately. This tool is kind of a nobrainer because it is so cheap, and plays nice with your existing anti-virus software. SKU: License: US$: Euro: UK: --------------------------------------------------- P6106540010 10 Users $250.00 272 £159 P6106540020 20 Users $375.00 407 £238 P6106540030 25 Users $450.00 489 £286 P6106540040 35 Users $675.00 733 £428 P6106540050 50 Users $895.00 972 £568 P6106540060 100 Users $1495.00 1623 £948 P6106540070 250 Users $1995.00 2165 £1265 P6106540080 500 Users $2495.00 2708 £1581 P6106540090 UNLIMITED(!) $2995.00 3250 £1898 Price applies to any number of Exchange/SMTP servers as long as they are within the same site (ie The number of servers is irrelevant, as long as the number of users are all within the same site) MailEssentials Product Specs page and download forms are at: http://www.sunbelt-software.com/product.cfm?id=610 (Oh yeah, if you buy now you get a free Windows 2000 upgrade) Next, if your LAN is already infected, how to get rid of it? Check out the NT THIRD PARTY NEWS section, as some of our vendors have solutions ready for you that are faster than doing everything by hand. **************************************************************** 3. NT RELATED NEWS: * Biometric Additions to Windows to Bolster Security Microsoft has made a deal with I/O software to include software that uses 'biometric' devices such as fingerprint, voice patterns or eye scanners to boost (online) security. I/O Software has written an API that allows for instance a mouse with a built in fingerprint scanner to replace the username / password drudgery with plug-and-play. Pretty useful as a matter of fact. Just grab your mouse and NT authenticates you. I want it! The fact that MS decided to pick up this particular API more or less standardizes the field, which is in this case especially useful to that we can get some competition from hardware vendors that now have an API they can interface with for their biometric devices. It's not sure when we will see this appear, but I would just love to see this in a coming service pack. Microsoft, are you listening? ;-) ------------------------ * Results from Sunbelt/Giga Hardware Reliability Survey The GIGA Information Group and Sunbelt do regular surveys. This time we looked at Hardware reliability and surveyed over 800 out of our customer base. The actual users of the hardware are normally the most reliable source of the total vendor experience: products/ support/sales/customer relationship. Rob Enderle, the VP Mobile Desktop & Internet Technology of Giga is in the process of writing a detailed Planning Assumption for Giga's customers, but Sunbelt has received a sneak peak so we can talk about the very interesting results. We will come out soon with nice graphs on our website that show everything much clearer than just this text. Most customers buy a mix of desktop and notebook computers from a particular vendor. IBM customers are showing a clear preference in terms of notebook sales, and HP in terms of desktop sales which is consistent with current beliefs. It is interesting to see how closely Dell and Compaq match each other, supporting the belief that Dell has become the replacement vendor for Compaq. When asked for their Service experience, Dell and Gateway come out first, followed by 'Other', IBM and Compaq. There is much more to follow about this one. I'll keep you up to date! ------------------------ * Gartner Group Sez: Linux Not Taking Over World. According to recent research by Gartner Group, the battle to dominate the general-purpose mid-range server market is over and Windows has won. George Weiss (Gartner Hardware and Operating Systems Group VP and research director) claimed they are not saying that Linux is dead, but that it 'aint gonna' take over the world either. Gartner calculated that during the coming five years all the Linux and Unix flavors combined, (and that includes Solaris, HP-UX and AIX), are going to find themselves with about the same market share of the general-purpose server market as Windows. Gartner's estimations are that just 2 or 3 Linux vendors will really survive. Caldera and Red Hat will be among them as they have enough critical mass. Many others are going to stay small players. Not included in their report are the embedded market or so the new breed of 'server appliances'. They interviewed a bunch of Independent Software Vendors and only about 30%-35% of these that currently support Windows or Unix, told them that their mission-critical products will support Linux in 2002. Linux will be high on the porting priorities for 60%-65% "but will not dislodge current top-tier operating system platforms," and with that he means Windows and Unix. Main reason: "They're really hard pressed trying to figure out how to make money in this market." One of the results of the survey was they concluded that companies that are currently cozying up to Linux (like IBM) are speaking Linux out of the corner of their mouth but really are trying to sell their existing Unix OS'es like AIX. ***************************************************************** 4. NT THIRD PARTY NEWS: BEEN INFECTED BY THE VIRUS ALREADY? NEED AN EXTERMINATOR? Here are some third party tools that have come to the rescue * SCRIPTLOGIC cleans up the Morning After The developer of ScriptLogic has published a custom script for ScriptLogic that will clean up the after effects of the Lovebug worm virus. Now that everyone has updated their virus signatures to catch it, the clean-up must still be done. That's where this script comes in. It removes the infections, creates a log file of what machines were found to be infected and can optionally remove the vbs and other vbscript associates from the registry so that users can't double click on the attachment and re-infect their systems. http://www.sunbelt-software.com/product.cfm?id=299 --------------------------- * LOVE KILLER by ECM V2.5 The developer of Enterprise Configuration Manager (ECM) released an ECM script that you can use to identify and eliminate the virus on an enterprise wide basis. You can import it into your existing deployment on your network and take a look at it. Below is the Read Me so you can see how to do it. Detecting the I Love You Virus Using ECM 2.5: 1) Run SQL Query Analyzer. 2) Select your ECM database. 3) Load the love.sql script provided. 4) Run the Query. This query loads new file alerts that will identify any machine that has been infected by the Worm Virus. It will also write an event to the event log for any machine that meet these file criteria, as well as any machine whose AutoExec.bat has been modified. 5) Stop and restart the collector so it will pick the new file alerts. 6) Run a instant collection against your machines. Selecting static information and file alerts. 7) If any of these files exist on your machines you will receive a file alert in the GUI as well as a event written to the event log of your collector machine. How to load the Love Killer for ECM 2.5 This is a batch file that is designed to be run as a job submission that will delete all files related to the 911 Virus from any of your monitored systems. 1) Save the lovekiller.bat to a shared location on your network. 2) From the General Configuration menu select the Job Submissions Tab. 3) Click Add. 4) Name the Job 5) In the Command(s) to Execute window put the UNC of the lovekiller.bat, i.e. \\wpfile01\virus\lovekiller.bat. 6) Leave the options default. 7) Select an account to authorize this job and a job password. 8) Click Ok. Click Ok. And Click OK to update the collector with the new settings. 9) Log out of the console machine and have the Account that was chosen to authorize the virus job log in and authorize the job from the General Configuration | Job Submission Tab. 10) From the General Configuration menu select the Collection Times Tab. 11) Select your Default Group. 12) Click add to create a new collection time. Name the collection. 13) Click Next. Select File Alerts. Click Next. 14) Select Run a Job and Select the Virus Job. 15) Establish what frequency and when you want to run this job. Click Finish. More info: http://www.sunbelt-software.com/product.cfm?id=522 --------------------------- * FileScreen Blocks LoveBug Virus scanning is a critical component of any network. However, by the time a virus such as the "LOVEBUG" virus is identified and detected, it's usually too late. Virus companies may take hours to post a fix, while the virus continues to run its course throughout your network. FileScreen 2000 screens files by name and file type from being written to your Windows NT/2000 servers. So, executables such as Melissa and Visual Basic files such as "lovebug.vbs." never have a chance to propagate in your domains and cause serious damage. FileScreen 2000 lets you get a grip on it by choosing what file types to screen including: Executable files--block dangerous viruses such as Melissa. Visual Basic files--protect your data from LoveBug perils. Application files--avoid software license infringement suits. Sound files--keep your servers from becoming another jukebox. Movie files--jokes, movies have no business on your network. Graphic files--usually large in size and often of no value. More info: http://www.sunbelt-software.com/product.cfm?id=422 **************************************************************** 5. HINTS AND TIPS: PRACTICE SAFE EMAIL * Have a Corporate Safe Email Policy AND enforce it. * Use 'belt and suspenders'. Combine an AV-solution with a 'content checking gateway' and file screening tools. * Instruct users with: - Be careful with emails if you don’t know the sender. - Even if you DO know the sender, never execute files if you’re not aware of the content. Ask your system/network administrator before running the file. * Help avoid mail spamming. * Though your anti-virus might not have been able to prevent this one, update your virus data patterns anyway. **************************************************************** 6. THE NT/2000 STOCK WATCH - Friday May 5, 2000 Data Return is Rocketing up again! Novell loses almost half :-( 52 WK 52 WK P/E WEEK SECURITY CLOSE HIGH LOW RATIO CHNG --------------------------------------------------------------------- Advanced Micro Devices... 92 1/4 92 3/8 15 5/8 66 +5.4% BMC Software............. 44 1/4 86 5/8 36 45 -5.4% BindView Development Corp 8 7/16 45 3/4 7 1/2 +4.6% Cisco Systems............ 67 3/4 82 26 -2.2% Citrix Systems Inc....... 43 3/8 122 5/16 20 1/4 66 -28.9% Compaq Computer.......... 27 3/16 34 18 1/4 73 -6.8% Computer Associates...... 53 1/16 79 7/16 40 15/16 42 -4.9% Data Return Corporation.. 29 1/4 94 1/4 13 3/4 +19.0% Dell Computer............ 49 7/8 59 3/4 31 3/8 82 -0.4% Electronic Data Systems C 61 7/8 76 11/16 47 7/8 42 -10.0% Gateway Inc.............. 53 7/16 84 28 3/8 38 -3.3% Hewlett Packard Co....... 136 3/4 156 67 43 +1.2% Intel Corp............... 123 3/8 145 3/8 50 1/8 53 -2.6% Intergraph Corp.......... 6 9/16 10 1/4 3 3/16 -3.6% International Business Ma 107 7/8 139 3/16 89 3/4 26 -3.2% Legato Systems Inc....... 12 9/16 82 1/2 9 1/4 74 -2.8% Micron Electronics Inc... 10 3/16 20 11/16 9 24 -4.6% Microsoft Corp........... 71 1/8 119 15/16 60 42 +1.9% Mission Critical Software 35 1/8 77 5/8 16 -2.4% NCR Corp................. 36 3/16 52 5/8 26 11/16 11 -6.3% NetIQ Corporation........ 37 1/4 81 1/2 14 3/4 +1.3% Network Associates Inc... 25 13/16 37 3/16 11 5/8 +1.4% Novell Inc............... 11 44 9/16 9 3/4 18 -43.9% Oracle Corp.............. 76 13/16 90 11 1/4 -3.9% Qualcomm Incorporated.... 109 3/4 200 21 1/2 +1.2% Seagate Technology....... 48 7/8 76 25 1/8 11 -3.6% Silicon Graphics......... 7 3/16 18 7/8 6 1/2 0.0% Sun Microsystems Inc..... 90 1/2 106 3/4 27 99 -1.5% Sybase Inc............... 24 15/16 31 7 1/8 33 +23.5% Symantec Corp............ 60 1/2 81 5/8 17 3/4 23 -3.1% Unisys Corp.............. 24 7/16 49 11/16 19 1/2 15 +5.3% Veritas Software Corp.... 100 3/16 174 15 1/8 -6.5% Dow Jones 30 Industrials. 10,577.86 -1.4% ******************************************************************* 7. "HOW TO USE THE MAILING LIST" Instructions on how to subscribe, sign off or change your email address TO SUBSCRIBE TO THE LIST (Tell your friends!) Click: http://lyris.sunbelt-software.com/scripts/lyris.pl?join=nt-list and fill out the form, simple & easy: 1 minute work. Or by email, send a blank message to the following address: [EMAIL PROTECTED] _____________________________________________________ TO QUIT THE LIST 1) The Web Way: http://lyris.sunbelt-software.com/scripts/lyris.pl? choose the NT-List, use your email address that is at the bottom of each newsletter and leave the list via the web interface. 2) The Email Way: Simply follow the personalized instructions at the very end of this newsletter. _____________________________________________________ TO CHANGE YOUR ADDRESS First unsubscribe and then resubscribe as per the procedure above. ******************************************************************** FOR MORE INFORMATION On the World Wide Web point your browser to: For the newsletter and our website: http://www.sunbelt-software.com For Tech Support on Sunbelt products mentioned: http://www.sunbelt-software.com/scripts/rightnow.exe Email for US sales information to: [EMAIL PROTECTED] Email for US Tech support to: [EMAIL PROTECTED] Email to the US Editor: [EMAIL PROTECTED] Email for European Sales to: [EMAIL PROTECTED] Email for European Tech support to: [EMAIL PROTECTED] At the time of this newsletter's release, all links were checked to verify their accuracy and validity. However, due to the ever changing pages of various sites, some links may later prove to be invalid. We regret any inconvenience should you be unable to open any of these links. ******************************************************************** Things Our Lawyers Make Us Say: This document is provided for informational purposes only. The information contained in this document represents the current view of Sunbelt Software Distribution on the issues discussed as of the date of publication. Because Sunbelt must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Sunbelt and Sunbelt cannot guarantee the accuracy of any informa- tion presented after the date of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT. The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Sunbelt's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Sunbelt Software Distribution, Inc. 1996-2000. [archive@jab.org] This is a posting from the nt-list, To unsubscribe, send a blank email to [EMAIL PROTECTED]