My apologies. I was very excited yesterday to see what seemed like so many infections. Further research has led me to revise my "list." I searched for each service on the security response page from Norton Antivirus, and did not read the details thoroughly enough.
In our rush to correct me, I fear that we do overlook the seriousness of some of these infections. I should illuminate that this lab is for pre-teens. They will type anything just to download the coolest and best-branded web game, even private info. Keyloggers, IRC Bots, password crackers are serious for users of this age. The list is revised below. I appreciate the thoughtful responses, and the Task List link you sent, Jeff, was fantastic. It is my duty to alleviate some of the well-founded concerns expressed. I regret that in my haste I completely obfuscated just how sustainable, secure, and supported HOSEF's installations are. My zeal left a whift of fanaticism that, I assure you, is not how we operate or have operated with any of our recipients. Were are not bringers of FUD, and my zeal was restricted to the OSS community. Jeff Mings wrote: ... > > Windoze OSes are frustratingly difficult to keep free of viri, > especially if you run Outlook or Internet Exploder. However, when > educating others about its problems, we have to be careful to remain > objective. Very true. What you can be certain of is that we are always objective. There is no way to discern this from my note, but the education here has been going on for several months. We have a 12 station thin client lab in the Weinberg Teen Center. Two managers have asked for and received stand-alones running Mandrake 9.2. One of the computers in the Windows lab was replaced with Mandrake 9.2 months ago. I do two workshops a week there, and I stop in almost daily. In one workshop I have the kids repairing, building, and testing the computers we in turn to give to others. They are good. In the second workshop we mess with software. I try to trick them into using applications good for school. More importantly, I am teaching the most eager ones how to support common problems. At no point have I told them they are using OSS. They just know that it works. One of the managers had no computer. She went to the Windows lab to access those machines. We gave her a printer and a PIII running Mandrake 9.2. I updated it and told her to come into the teen center for our classes if she needed to learn how to use it, or to ask me questions as I come and go. The next day her Desktops were individually customized and full of the Microsoft Office document icons from her many floppies. She does not know what Linux is, she just know that it works. Tim Newsham wrote: > the URL descriptions dont match these programs. They're standard > windows services (registry, security subsystem, win32 subsystem, > session manager). Thanks. You are correct. My claim was premature. Two of the four you mentioned, though, could be hijacked and still require more examination to be certain. See their descriptions below. > I agree that linux can be an effective desktop in school settings. > I'm not sure I buy your argument though that virus infection is > a good reason to run linux. From a pragmatic point of view it > is true -- viruses tend to target win32, and running something > other than win32 will reduce your exposure there. From a technical > point of view though, there is no inherent technical advantage > here. Viruses alone are really just an annoyance. Keystroke loggers, IRC bots, and password crackers are. This is a pre-teen lab. I failed to mention this, but the whole idea of keeping private information to their selves is not intuitive or even convenient. I do disagree about the technical advantage; I definitely believe that OSS is technically superior. There is just always that pesky human involved. > > Linux systems do have flaws as well, and they may well be > exploited to your detriment, although most likely not by > a virus or worm. If the system is operated properly, most > users will be using low-privilege accounts and the entire > system wont be at risk. The same holds true for win32. If > they run windows xp, 2000 or 2k3 and disallow the average > user from logging in as the administrator, the system will > be much less vulnerable and more manageable. Most true and very well worth pointing out. Yes, the architecture of OSS like Linux, if properly operated, is inherently more safe and of course the same security is easily achievable by responsible MGMT of one's Windows computer. Problem is, unprivileged accounts are not the default choice in Windows, and since most people expect to be able to download and install their stuff, the majority of labs I have seen give everyone this power. --scott The Revised and Better Researched List Bad FF.EXE http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.rirc.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.AB "Description: This malware is both a worm and a backdoor. It propagates into machines on the same network using a long-list of user names and passwords. Its propagation routine allows it to copy itself into machines running Windows NT, 2000, and XP that have weak passwords. (Note: Weak passwords are often ordinary words or easily crackable, non-alphanumeric strings that do not use special and mixed case characters. Passwords with fewer than eight characters are also considered weak.) It acts as a backdoor and listens for commands from remote users. It joins an Internet Relay Chat server via port 6667 to receive these commands and allow remote users virtual control over infected systems. This malware runs on Windows 95, 98, ME, NT, 2000, and XP. However, it can only propagate into machines running Windows NT, 2000, and XP" msbb.exe http://securityresponse.symantec.com/avcenter/venc/data/adware.ncase.html http://www.liutilities.com/products/wintaskspro/processlibrary/msbb/ "There is nothing good we can say about MSBB. Internet browsers slowing down to a crawl is the most common complaint, but we have also seen random "MSBB has encountered an error and will close", or MSBB trying to start the dial-up connection for those connecting to the Internet via modem, not to mention the extremely irritating random pop-up ads" WSup.exe http://securityresponse.symantec.com/avcenter/venc/data/adware.huntbar.html "Adware.Huntbar installs itself as a Browser Helper Object and redirects search requests. Adware.Huntbar also gathers information on Web-browsing habits." WToolsA.exe http://securityresponse.symantec.com/avcenter/venc/data/adware.huntbar.html "Adware.Huntbar installs itself as a Browser Helper Object and redirects search requests. Adware.Huntbar also gathers information on Web-browsing habits." wupdater.exe http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.polybot.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.CJ From trend micro "This destructive backdoor removes shared files in shared folders. It opens random ports and connects to a specific IRC server, where it listens for commands from a remote user that it can process on the machine. It enables the remote user to carryout the following malicious tasks: * Join a specified IRC chat room * Send messages to a specified IRC chat room * Log keystrokes * Open/close CD tray * Enable FTP download/upload * Execute files * Perform DoS (denial of service) attack (through ping or SYN floods) This memory-resident malware runs on Windows NT, 2000 and XP." CMESys.exe http://www.liutilities.com/products/wintaskspro/processlibrary/cmesys/ "Gator GAIN, adware that is installed by certain free software and is advertising spyware that runs in the background and displays advertisements. The identified process is a security risk and can compromise your personal privacy" Not inherently Bad, But Some Questions and Need for Research Remain ctfmon http://answersthatwork.com/Tasklist_pages/tasklist_c.htm "CTFMon comes with Microsoft Office XP and Windows XP – it activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. As long as the Text Services & Speech are enabled in the Control Panel, this program will force itself back into your list of background programs." lsass.exe http://answersthatwork.com/Tasklist_pages/tasklist_l.htm "If the full path to this program as shown in The Ultimate Troubleshooter is not C:\WinNT\System32\LSASS.exe (Windows 2000) or C:\Windows\System32\LSASS.exe (Windows XP, 2003), then you have the W32.Nimos.Worm virus or some other virus." smss.exe http://answersthatwork.com/Tasklist_pages/tasklist_s.htm "Windows NT4/2000/XP/2003 only. SMSS is the Session Manager SubSystem. SMSS’s purpose is to start, manage, and delete user sessions (or client sessions under Terminal Server). Under Terminal Server the management part includes dealing with the different subsystems (OS/2, Win32, POSIX) which a client session may wish to run" csrss.exe http://answersthatwork.com/Tasklist_pages/tasklist_c.htm "An integral part of the operating system, leave alone. You have the Trojan.Gutta or [EMAIL PROTECTED] virus if you have Windows 95/98/ME or if the full path to this program is either C:\Windows\csrss.exe or C:\WinNT\csrss.exe." regsvc.exe http://answersthatwork.com/Tasklist_pages/tasklist_r.htm "While it is not always required, the Remote Registry Service will eventually be used at some stage in the life of most Windows 2000 Servers/Advanced Servers. This process should therefore be left alone." mspmspsv.exe http://answersthatwork.com/Tasklist_pages/tasklist_m.htm "Microsoft’s WMDM PMSP Service, aka Windows Media Device Manager Pre-Message Security Protocol Service. From our tests this service only appears in the Task List if you have done a Windows Update and updated Windows Media Player with the 26-Jun-2002 Security Update Q320920. This services enables Windows Media Player to support the SDMI protocol (Secure Digital Music Initiative) when copying CDs or packaging copyrighted downloaded music to SDMI compliant music players and storage devices." VPTray.exe http://answersthatwork.com/Tasklist_pages/tasklist_v.htm "Unlike with other Norton AntiVirus products, there are significant problems with the VPTRAY process which comes with the Corporate Edition, from the inability of Windows to start due to timing problems associated with VPTRAY, 100% CPU usage by VPTRAY, and other problems. Since you can access all Norton AntiVirus features through "Start \ Programs", if you experience Windows start-up problems, performance problems, or crashes which you have difficulty tracking, then disable VPTRAY with The Ultimate Troubleshooter." WKufind.exe http://answersthatwork.com/Tasklist_pages/tasklist_w.htm "Microsoft Works 2002 PictureIt! update detector. Another auto-update feature that you should turn off ! If you are not convinced, then this from a Microsoft document should convince you : "You may notice that when this feature runs your computer may freeze or the program may try to update itself.... You may also notice that the computer will try to dial your Internet Service Provider, connect to the Internet, and download any updates."
