Here's a perfect example of win-98 vulnerability DISinformation

Have a look at this site:

http://www.lbl.gov/cyber/vulnerabili...chive_h-l.html

Scroll down to the "Korgo Worm".

Read this:

-------------------
The Korgo worm (also known as Worm.Win32.Padobot.b or Exploit-Lsass.gen)
infects Windows systems such as Windows 98, NT, 2000 and XP. It exploits
a buffer overflow vulnerability in Windows Local Security Authority
System Services (lsass.exe), as described in Microsoft Security Bulletin
04-011. Various mutants of the Korgo worm have been identified.
-------------------

Ok, so an authoritative source is stating that the Korgo worm affects
win-98 (even though win-98 does not run the lsass service).

So let's look at MS bulletin 04-011:

http://www.microsoft.com/technet/sec.../MS04-011.mspx

The date is April - August 2004. Win-98 is still fully supported by
Micro$haft at that time.

Note the list of Affected Software - particularly the last entry:

---------------------
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) – Review the FAQ section of
this bulletin for details about these operating systems.
---------------------

Now why come out and make that cryptic statement? Why not come right
out in the open and just say if 98/me is affected? Is this Microsoft's
attempt to give the casual reader the impression that this bulletin
applies to 98/me, so by extension win-98/me is vulnerable to the Korgo
worm? Let's expand and read the FAQ section:

--------------------
How does the extended support for Windows 98, Windows 98 Second Edition,
and Windows Millennium Edition affect the release of security updates
for these operating systems?

Microsoft will only release security updates for critical security
issues. Non-critical security issues are not offered during this support
period.
---------------------

Now what exactly does that statement mean? Do you notice that
Microsoft's first mention of 98/me in this FAQ section does not address
the most obvious question - which is - is 98/me vulnerable to this
exploit?

Why Microsoft decided to answer a question that was probably never
contimplated by anyone reading this bulletin is beyond strange.
Microsoft is trying REAL HARD to evade the real question. The Q and A
they give above is designed to cloud the support status of Win-98.
Hopefully the reader will stop reading at this point and believe that
maybe win-98 is vulnerable, and that Microsoft won't provide a fix
because it's not critical. Let's keep reading:

---------------------
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by any of the vulnerabilities that are addressed in
this security bulletin?

No. None of these vulnerabilities are critical in severity on Windows
98, on Windows 98 Second Edition, or on Windows Millennium Edition.
---------------------

Now why is Microsoft making a distinction between a critical and
non-critical vulnerability with regard to 9x/me, while they do not add
these classifiers to the affected OS's (NT, 2K, XP, 2K3) ???

Do we know if the affected OS's are critically or non-critically
vulnerable to MS04-011?

Macro$haft says that 98/me is "not critically affected" by MS04-011. Is
the reader supposed to assume that 98/me is vulnerable to MS04-011 - but
not critically vulnerable? Or perhaps not vulnerable in any way?

Is Microsoft trying to downplay win-98's invulnerability to these many
exploits that are targeting NT-based OS's? Does it embarass Micro$tink
that the OS they desperately want to kill off is fairing better against
the big bad internet then their flagship, hot-**** NT OS's?

It's no wonder that third-party technical writers (and even the US
gov't) were bamboozled by Microsoft's security bulletins and the spin
they tried to put on the vulnerablity of win-98/me to new and emerging
exploits.

On 12/29/2009 09:05 PM, 98 Guy wrote:
Korgo Worm

What happened, didn't you read ALL the information and materials or did
you just forget how worms work and variants... and there IS the wmf and
ICS, and a couple others that do come into play in 9X, depending upon
what applications {like NetMeeting and IIS} and activities are occurring...

http://www.avira.com/en/threats/sect...rgo.f.var.html


http://www.avira.com/en/threats/sect...m_korgo.u.html


http://www.symantec.com/security_res...011215-5924-99


http://www.iss.net/security_center/r...o-backdoor.htm


http://www.auscert.org.au/render.html?it=44&offset=665


The Microsoft Windows Malicious Software Removal Tool helps remove
specific, prevalent malicious software from computers that are running
Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008,
Windows XP, or Windows 2000
http://support.microsoft.com/kb/890830


Cyber Security Bulletin SB04-203
http://www.us-cert.gov/cas/bulletins/SB04-203.html


http://en.wikipedia.org/wiki/Local_S...system_Service


http://www.dslreports.com/forum/remark,10952235
Also Known As: W32/Korgo.worm.gen [McAfee]
Type: Worm
Infection Length: 11,776 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX,
Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT

AND SINCE YOU BROUGHT IT UP [really, I understand, it is a long
document/article, updated several times, so you didn't check for dates
and actually read it did you]:

http://www.microsoft.com/technet/sec.../MS04-011.mspx

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by any of the vulnerabilities that are addressed in
this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows
98, on Windows 98 Second Edition, or on Windows Millennium Edition.

{MEB - seems *No* would be a pretty definitive statement, but we MUST
actually read what CAN affect 9X and WHY so we know for sure}

Vulnerability Details

LSASS Vulnerability - CAN-2003-0533:
A buffer overrun vulnerability exists in LSASS that could allow remote
code execution on an affected system. An attacker who successfully
exploited this vulnerability could take complete control of the affected
system.

Mitigating Factors for LSASS Vulnerability - CAN-2003-0533:

Only Windows 2000 and Windows XP can be remotely attacked by an
anonymous user. While Windows Server 2003 and Windows XP 64-Bit Edition
Version 2003 contain the vulnerability, only a local administrator could
exploit it.

Windows NT 4.0 is not affected by this vulnerability.

Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to
the Internet have a minimal number of ports exposed.
....
Block the following at the firewall:

UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593

All unsolicited inbound traffic on ports greater than 1024

Any other specifically configured RPC port

These ports are used to initiate a connection with RPC. Blocking them at
the firewall will help prevent systems that are behind that firewall
from attempts to exploit this vulnerability. Also, make sure that you
block any other specifically configured RPC port on the remote system.
Microsoft recommends that you block all unsolicited inbound
communication from the Internet to help prevent attacks that may use
other ports. For more information about the ports that RPC uses, visit
the following Web site.

Enable advanced TCP/IP filtering on systems that support this feature.

You can enable advanced TCP/IP filtering to block all unsolicited
inbound traffic. For more information about how to configure TCP/IP
filtering, see Microsoft Knowledge Base Article 309798.

Block the affected ports by using IPSec on the affected systems.

Use Internet Protocol Security (IPSec) to help protect network
communications. Detailed information about IPSec and how to apply
filters is available in Microsoft Knowledge Base Articles 313190 and 813878.
....
What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP are primarily at risk from this vulnerability.

Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 provide
additional protection that would require an administrator to log on
locally to an affected system to exploit this vulnerability.
....
LDAP Vulnerability - CAN-2003-0663:

This vulnerability only affects Windows 2000 Server domain controllers;
Windows Server 2003 domain controllers are not affected.

Windows NT 4.0 and Windows XP are not affected by this vulnerability.
....
Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall.
....
PCT Vulnerability - CAN-2003-0719:

Only systems that have enabled SSL are affected, typically only server
systems. SSL support is not enabled by default on any of the affected
systems. However, SSL is generally used on Web servers to support
electronic commerce programs, online banking, and other programs that
require secure communications.

Windows Server 2003 is only vulnerable to this issue if an administrator
has manually enabled PCT (even if SSL has been enabled)
....
FAQ for PCT Vulnerability - CAN-2003-0719:

What’s the scope of the vulnerability?
....
All programs that use SSL could be affected. Although SSL is generally
associated with Internet Information Services by using HTTPS and port
443, any service that implements SSL on an affected platform is likely
to be vulnerable.
....
What causes the vulnerability?

The process used by the SSL Library to check message inputs.
....
Winlogon Vulnerability - CAN-2003-0806:

Only Windows NT 4.0, Windows 2000, and Windows XP systems that are
members of a domain are affected by this vulnerability. Windows Server
2003 is not affected by this vulnerability.
....
What systems are primarily at risk from the vulnerability?

Only Windows NT 4.0, Windows 2000, and Windows XP systems that are
members of a domain are affected by this vulnerability.
....
Metafile Vulnerability - CAN-2003-0906:

A buffer overrun vulnerability exists in the rendering of Windows
Metafile (WMF) and Enhanced Metafile (EMF) image formats that could
allow remote code execution on an affected system. Any program that
renders WMF or EMF images on the affected systems could be vulnerable to
this attack. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.
....
Mitigating Factors for Metafile Vulnerability - CAN-2003-0906:
•

The vulnerability could only be exploited by an attacker who persuaded a
user to open a specially crafted file or to view a directory that
contains the specially crafted image. There is no way for an attacker to
force a user to open a malicious file.
•

In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.
....
Workarounds for Metafile Vulnerability - CAN-2003-0906:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is
identified below.
•

Read e-mail messages in plain text format if you are using Outlook 2002
or later, or Outlook Express 6 SP1 or later, to help protect yourself
from the HTML e-mail attack vector.

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1
or later and Microsoft Outlook Express 6 users who have applied Internet
Explorer 6 Service Pack 1 can enable this setting and view all
non-digitally signed e-mail messages or non-encrypted e-mail messages in
plain text only.
....
What systems are primarily at risk from the vulnerability?

The vulnerability could only be exploited on the affected systems by an
attacker who persuaded a user to open a specially crafted file or view a
directory that contains the specially crafted image. There is no way for
an attacker to force a user to open a malicious file.

In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.
....
Help and Support Center Vulnerability - CAN-2003-0907:

A remote code execution vulnerability exists in the Help and Support
Center because of the way that it handles HCP URL validation. An
attacker could exploit the vulnerability by constructing a malicious HCP
URL that could potentially allow remote code execution if a user visited
a malicious Web site or viewed a malicious e-mail message. An attacker
who successfully exploited this vulnerability could take complete
control of an affected system.

Mitigating Factors for Help and Support Center Vulnerability -
CAN-2003-0907:
•

In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.
•

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98
and Outlook 2000 open HTML e-mail messages in the Restricted sites zone
if the Outlook E-mail Security Update has been installed. The Restricted
sites zone helps reduce attacks that could attempt to exploit this
vulnerability.

The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all of the following conditions:

Apply the update that is included with Microsoft Security Bulletin
MS03-040 or a later Cumulative Security Update for Internet Explorer.

Use Internet Explorer 6 or later.

Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or
later in its default configuration.
....
Windows NT 4.0 and Windows 2000 are not affected by this vulnerability.
....
Utility Manager Vulnerability - CAN-2003-0908:

Windows NT 4.0, Windows XP, and Windows Server 2003 are not affected by
this vulnerability. Windows NT 4.0 does not implement the Utility Manager.
....
Windows Management Vulnerability - CAN-2003-0909

Windows NT 4.0, Windows 2000, and Windows Server 2003 are not affected
by this vulnerability.

What systems are primarily at risk from the vulnerability?

Only Windows XP is affected by this vulnerability.
....
Local Descriptor Table Vulnerability - CAN-2003-0910

Mitigating Factors for Local Descriptor Table Vulnerability - CAN-2003-0910:

An attacker must have valid logon credentials and be able to logon
locally to exploit this vulnerability. It could not be exploited remotely.

Windows XP and Windows Server 2003 are not affected by this vulnerability.
....

H.323 Vulnerability - CAN-2004-0117

Mitigating Factors for H.323 Vulnerability - CAN-2004-0117:

In the most common scenarios, NetMeeting (which uses H.323) must be
running to become vulnerable.

In the most common scenarios, systems that use Internet Connection
Firewall (ICF) and that do not run any H.323-based applications are not
vulnerable.

Windows NT 4.0 is not affected by this vulnerability unless the
stand-alone version of NetMeeting has been manually installed by an
administrator.
.....
Block ports TCP 1720 and TCP 1503 both inbound and outbound at the firewall.
....
What causes the vulnerability?

Unchecked buffers in Microsoft’s H.323 implementation.

What is H.323?

H.323 is an ITU standard that specifies how PCs, equipment, and services
for multimedia communicate over networks that do not provide a
guaranteed level of service, such as the Internet. H.323 terminals and
equipment can carry real-time video, voice, data, or any combination of
these elements. Products that use H.323 for audio and video let users
connect and communicate with other people over the Internet, just as
people using different makes and models of telephones can communicate
using the telephone.

What affected applications use the H.323 protocol?

The H.323 protocol is implemented in a number of Microsoft applications
and operating system components. This issue may affect systems that have
one or more of the following services or applications running:

Telephony Application Programming Interface (TAPI)-based applications

NetMeeting

Internet Connection Firewall (ICF)

Internet Connection Sharing

The Microsoft Routing and Remote Access service
....
What is TAPI?

Windows Telephony Applications Programming Interface (TAPI) is a part of
the Windows Open System Architecture. By using TAPI, developers can
create telephony applications. TAPI is an open industry standard,
defined with significant and ongoing input from the worldwide telephony
and computing community. Because TAPI is hardware-independent,
compatible applications can run on a variety of PC and telephony
hardware and can support a variety of network services. TAPI implements
the H.323 protocol. Applications that use TAPI could be vulnerable to
the issue that is described in this bulletin.
....
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by this vulnerability?

No. Although these operating systems may contain NetMeeting, the
vulnerability is not critical on these operating systems. As a method of
addressing this vulnerability, you can download and install the
stand-alone version of NetMeeting for these operating systems from the
following Web site. For more information about severity ratings, visit
the following Web site.
....
What is Internet Connection Sharing?

By using Internet Connection Sharing users can connect one system to the
Internet and share Internet service with several other systems on a home
or small office network. The Network Setup Wizard in Windows XP
automatically provides all the network settings that are necessary to
share one Internet connection with all the systems in a network. Each
system can use programs such as Internet Explorer and Outlook Express as
if the system were directly connected to the Internet.

Internet Connection Sharing is a feature of Windows 2000, Windows XP,
and Windows Server 2003 but is not enabled by default on any of the
affected systems.

If I have enabled Internet Connection Sharing, but I have not enabled
Internet Connection Firewall, am I vulnerable?

Yes, Internet Connection Sharing enables the ports that could allow a
system to become vulnerable to this issue.

If ICF and Internet Connection Sharing are running, this attack could
not occur unless the user was also using NetMeeting, or had manually
opened port 1503 or port 1720.
....
What systems are primarily at risk from the vulnerability?

Systems that are running NetMeeting or that are running an H.323-based
program.
....

Virtual DOS Machine Vulnerability - CAN-2004-0118:

Windows XP and Windows Server 2003 are not affected by this vulnerability.
....
What is the Virtual DOS Machine subsystem?

A Virtual DOS Machine (VDM) is a environment that emulates MS-DOS and
DOS-based Windows in Windows NT-based operating systems. A VDM is
created whenever a user starts an MS-DOS application on a Windows
NT-based operating system.
....

Negotiate SSP Vulnerability - CAN-2004-0119

The Negotiate SSP interface is also enabled by default in Internet
Information Services (IIS). However, only Windows 2000 (IIS 5.0) and
Windows Server 2003 Web Server Edition (IIS 6.0) install Internet
Information Services (IIS) by default.

Windows NT 4.0 is not affected by this vulnerability.
....
Impact of Workaround: Any IIS-based applications that require Windows NT
Challenge/Response authentication (NTLM) or Kerberos authentication will
no longer function correctly.
....
What systems are primarily at risk from the vulnerability?

All affected systems could be vulnerable to this issue by default.
Furthermore, by default, systems that are running Internet Information
Services 5.0, Internet Information Services 5.1, and Internet
Information Services 6.0 are also vulnerable to this issue through any
listening port.
....

SSL Vulnerability - CAN-2004-0120:

Mitigating Factors for SSL Vulnerability - CAN-2004-0120:
•

Only systems that have enabled SSL are affected, typically only server
systems. SSL support is not enabled by default on any of the affected
systems. However, SSL is generally used on Web servers to support
electronic commerce programs, online banking, and other programs that
require secure communications.

Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to
the Internet have a minimal number of ports exposed.

Windows NT 4.0 is not affected by this vulnerability.
....
Block ports 443 and 636 at the firewall

Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL
connections (LDAPS). Blocking them at the firewall will help prevent
systems that are behind that firewall from attempts to exploit this
vulnerability. Other ports may be found that could be used to exploit
this vulnerability. However, the ports listed here are the most common
attack vectors. Microsoft recommends blocking all unsolicited inbound
communication from the Internet to help prevent attacks that may use
other ports.

Impact of Workaround: If ports 443 or 636 are blocked, the affected
systems can no longer accept external connections using SSL or LDAPS.
....
What is the Microsoft Secure Sockets Layer library?

The Microsoft Secure Sockets Layer library contains support for a number
of secure communication protocols. These include Transport Layer
Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), the older
and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private
Communication Technology 1.0 (PCT 1.0) protocol.

These protocols provide an encrypted connection between a server and a
client system. SSL can help protect information when users connect
across public networks such as the Internet. SSL support requires an SSL
certificate, which must be installed on a server. For more information
about SSL, see Microsoft Knowledge Base Article 245152.
....
What systems are primarily at risk from the vulnerability?

All systems that have SSL enabled are vulnerable. Although SSL is
generally associated with Internet Information Services by using HTTPS
and port 443, any service that implements SSL on an affected platform is
likely to be vulnerable. This includes but is not limited to Internet
Information Services 4.0, Internet Information Services 5.0, Internet
Information Services 5.1, Exchange Server 5.5, Exchange Server 2000,
Exchange Server 2003, Analysis Services 2000 (included with SQL Server
2000), and any third-party programs that use SSL.
....

ASN.1 “Double Free” Vulnerability - CAN-2004-0123

What is ASN.1?

Abstract Syntax Notation 1 (ASN.1) is a language that is used to define
standards. It is used by many applications and devices in the technology
industry to allow data exchange across various platforms. ASN.1 has no
direct relationship to any specific standard, encoding method,
programming language, or hardware platform. For more information about
ASN.1, see Microsoft Knowledge Base Article 252648.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability to allow code
execution could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating
new accounts that have full privileges.
....

What systems are primarily at risk from this vulnerability?

Server systems are at greater risk than client systems because they are
more likely to have a server process running that decodes ASN.1 data.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by this vulnerability?

No. Although Windows Millennium Edition does contain the affected
component, the vulnerability is not critical. For more information on
severity ratings, visit the following Web site.
....

AND SINCE YOU ARE CONSTANTLY SUGGESTING WIN2K FILES BE INSTALLED IN WIN9X:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
24-Mar-2004 02:17 5.0.2195.6876 388,368 Advapi32.dll
24-Mar-2004 02:17 5.0.2195.6824 42,256 Basesrv.dll
24-Mar-2004 02:17 5.0.2195.6866 69,904 Browser.dll
24-Mar-2004 02:17 5.0.2195.6901 394,512 Callcont.dll
21-Sep-2003 00:45 5.0.2195.6824 236,304 Cmd.exe
24-Mar-2004 02:17 5.131.2195.6824 543,504 Crypt32.dll
24-Mar-2004 02:17 5.131.2195.6824 61,200 Cryptnet.dll
24-Mar-2004 02:17 5.0.2195.6868 76,048 Cryptsvc.dll
24-Mar-2004 02:17 5.0.2195.6824 134,928 Dnsapi.dll
24-Mar-2004 02:17 5.0.2195.6876 92,432 Dnsrslvr.dll
24-Mar-2004 02:17 5.0.2195.6883 47,888 Eventlog.dll
24-Mar-2004 02:17 5.0.2195.6898 242,448 Gdi32.dll
24-Mar-2004 02:17 5.0.2195.6901 255,248 H323.tsp
24-Mar-2004 00:46 502 Hfsecper.inf
17-Mar-2004 21:50 502 Hfsecupd.inf
24-Mar-2004 02:17 5.0.2195.6902 442,640 Ipnathlp.dll
24-Mar-2004 02:17 5.0.2195.6890 143,632 Kdcsvc.dll
11-Mar-2004 02:37 5.0.2195.6903 210,192 Kerberos.dll
24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll
21-Sep-2003 00:32 5.0.2195.6824 71,888 Ksecdd.sys
11-Mar-2004 02:37 5.0.2195.6902 520,976 Lsasrv.dll
25-Feb-2004 23:59 5.0.2195.6902 33,552 Lsass.exe
24-Mar-2004 02:17 5.0.2195.6898 37,136 Mf3216.dll
10-Feb-2004 19:47 5.0.2195.6897 30,160 Mountmgr.sys
24-Mar-2004 02:17 5.0.2195.6824 54,544 Mpr.dll
24-Mar-2004 02:17 5.0.2195.6905 53,520 Msasn1.dll
24-Mar-2004 02:17 5.0.2195.6895 335,120 Msgina.dll
24-Mar-2004 02:17 5.0.2195.6901 249,616 Mst120.dll
11-Mar-2004 02:37 5.0.2195.6897 123,152 Msv1_0.dll
24-Mar-2004 02:17 5.0.2195.6897 312,592 Netapi32.dll
24-Mar-2004 02:17 5.0.2195.6891 371,472 Netlogon.dll
24-Mar-2004 02:17 5.0.2195.6901 62,224 Nmcom.dll
24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll
24-Mar-2004 02:17 5.0.2195.6896 1,028,880 Ntdsa.dll
25-Feb-2004 23:55 5.0.2195.6902 1,699,904 Ntkrnlmp.exe
25-Feb-2004 23:55 5.0.2195.6902 1,699,264 Ntkrnlpa.exe
25-Feb-2004 23:55 5.0.2195.6902 1,720,064 Ntkrpamp.exe
11-Mar-2004 02:37 5.0.2195.6902 1,726,032 Ntoskrnl.exe
24-Mar-2004 02:17 5.0.2195.6824 115,984 Psbase.dll
24-Mar-2004 02:17 5.0.2195.6892 90,264 Rdpwd.sys
24-Mar-2004 02:17 5.0.2195.6897 49,936 Samlib.dll
24-Mar-2004 02:17 5.0.2195.6897 388,368 Samsrv.dll
24-Mar-2004 02:17 5.0.2195.6893 111,376 Scecli.dll
24-Mar-2004 02:17 5.0.2195.6903 253,200 Scesrv.dll
11-Mar-2004 02:37 5.1.2195.6899 143,120 Schannel.dll
19-Jun-2003 20:05 5.0.2195.6707 17,168 Seclogon.dll
24-Mar-2004 02:17 5.0.2195.6894 971,536 Sfcfiles.dll
05-Feb-2004 20:18 5.0.2195.6896 5,869,056 Sp3res.dll
24-Mar-2004 02:17 1.0.0.4 27,920 Umandlg.dll
24-Mar-2004 02:17 5.0.2195.6897 403,216 User32.dll
05-Aug-2003 22:14 5.0.2195.6794 385,808 Userenv.dll
24-Mar-2004 02:17 5.0.2195.6824 50,960 W32time.dll
21-Sep-2003 00:32 5.0.2195.6824 57,104 W32tm.exe
11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys
12-Dec-2003 21:38 5.1.2600.1327 311,296 Winhttp.dll
11-Mar-2004 02:37 5.0.2195.6898 181,520 Winlogon.exe
25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll
24-Mar-2004 02:17 5.131.2195.6824 167,184 Wintrust.dll
24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll Uniproc
24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll Uniproc
11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys Uniproc
25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll Uniproc

{MEB - My guess is these would foobar Win9X, why don't you install them
all *98 Guy* and test them for us. OF course, several of these WERE
updated in Win9X during support specifically due to these and other
vulnerabilities.}

....
Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.

Revisions:

V1.0 April 13, 2004: Bulletin published

V1.1 April 21, 2004: Bulletin updated to reflect updated information in
the Update Replacement Section. Bulletin has also been updated to
reflect the change in the MBSA detection behavior as described in the
updated FAQ section. The bulletin also contains revisions to the
workaround section for the Utility Manager Vulnerability (CAN-2003-0908).

V1.2 April 28, 2004: Updated Caveats section to reflect the availability
of a revised Microsoft Knowledge Base Article 835732. It documents the
currently known issues that customers may experience when installing
this security update. The article also documents recommended solutions
for these issues.

V1.3 May 4, 2004: Added new information in the Workarounds section for
the LSASS Vulnerability.

V2.0 June 15, 2004: Updated bulletin to advise on the availability of an
updated Windows NT 4.0 Workstation update for the Pan Chinese language.
This update should be installed by customers even if the original update
was installed.

V2.1 August 10, 2004: Updated bulletin to modify the workaround section
for the PCT Vulnerability when using Windows XP RTM.
....

Of course we should see if any others might apply:

http://www.microsoft.com/technet/sec.../MS04-044.mspx

Affected Softwa

Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 –
Download the update

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service
Pack 4 – Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 – Download the update

Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update

Microsoft Windows Server 2003 – Download the update

Microsoft Windows Server 2003 64-Bit Edition – Download the update

Non-Affected Softwa

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)



*MAYBE* you're thinking of the newer lsass.exe {Local Security
Authority System Services {lsass}}:
http://www.vupen.com/english/advisories/2009/3433
which specifically relies upon lsass.exe rather than the service it once
was, supplied via various files, like in 9X or applications therefore.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

MEB wrote:

Korgo Worm

What happened, didn't you read ALL the information and materials

Go back and read my post you moron.

Read it completely.

Then try to understand the point I was making.

On 12/31/2009 05:45 PM, 98 Guy wrote:
MEB wrote:

Korgo Worm

What happened, didn't you read ALL the information and materials

Go back and read my post you moron.

Read it completely.

Then try to understand the point I was making.

Hey stupid, go back through the archives and look for the originals and
compare the dates and original presentations. THINK [and I realize that
is impossible for you, but try] about what the documents and extra links
show, HOW worms work, and the other that applies; THEN try to see why
your comments show your lack of intelligence...

To make it plain to you: you have no point as usual.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---