Quick tip: Install Exchange 2010 SP3 Update Rollup 1 (KB2803727)

Double-Clicking the .msp file doesn’t work, whatever you do…

To install the Exchange update, execute this from elevated command prompt:

msiexec /update Exchange2010-KB2803727-x64-en.msp
Posted in Exchange, Windows Server | Leave a comment

Virus Alarm!

Today i have a nice one… OK, maybe not THAT nice, as you can expect from the title.

This morning i recognized that folders on network shares looked different than they should. After connecting to the file server it was almost clear instantly. A virus…

For normal users (with default file explorer settings) it looked almost as usual. But, after i configured it to show hidden and operating system files i saw that all folder were hidden, and instead of the folder, a shortcut to the original folder was created.
(Unfortunately  i don’t have a screen shot of it at home, should have one in the office which i will add tomorrow)

Looking at the properties of a shortcut, i saw this command executed when someone double-clicks it:

%WINDIR%\system32\cmd.exe /c "start %CD%snkb0ptz\snkb0ptz.exe && %WINDIR%\explorer.exe %CD%Data"

What is it doing? Before it shows the user the directory he thinks he has opened, it executes the “snkb0ptz.exe” executable. Not 100% clear what it is doing. It looks like it copies the fie to the users “Application Data” directory (f.ex. C:\Documents and Settings\<User>\Application Data\) named with a random file name like “Wjiblccqrkluktrq.exe”.

Additional to that, it adds two registry entries:
– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
– HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

The first looks like it is there to restart the exe again after a login. The second, i think, is not directly relevant and an internal  Windows thing.

Thats what i know so far. If it may starts a key logger, connects to an external server is not clear yet. Waiting for a response from our Antivirus vendor.

Neither Sophos nor Avira was able to detect it. A sample was sent to Sophos labs this morning, and this afternoon i received the message that they have created a new pattern to detect it. It’s called “W32/Dorkbot-ER”:

Screen Shot 2013-04-02 at 20.42.59

Update (2013-04-03 08:15)

Sophos added some informations about the virus: http://bit.ly/XWOimy

  1. autorun.inf on the root is also created and should be removed
  2. They have a list of DNS requests it is doing Unfortunately no info about what is sent to these addresses.

Update (2013-04-03 11:15)

Just recognized that the hidden folder also have the “Read-only (Only applies to files in folder)” flag set. Simply add “-r” to the attrib command to remove it too.

Clean it up manually

Looks like it is possible to clean it up manually. A bit of work, but works:

  1. Make sure all tasks named like “Wjiblccqrkluktrq.exe” are stopped
  2. Look through all “Application Data” directories of users and search for these exe files (note the exact names!)
  3. Search through the registry and delete all references to this exe
  4. Delete all shortcuts on the drives, “autorun.inf” and the “snkb0ptz” folder
    Depending on what shares you have, you may have these shortcuts and snkb0ptz on multiple places. You can use windows search to find them all
  5. To make the original folders visible agian, you have to execute this command for each directory, which removes the hidden flag:
    attrib -s -h -r <FolderName>
Posted in Security, Viruses | Tagged , , | Leave a comment

Quick tip: Limiting RPC dynamic port range

One annoying thing with RPC is, that it is configured to use over 16’000 ports by default (in 2008 Server). That’s absolutely not needed in most cases. I normally limit the range to 1000 ports which is more than enough, and makes firewall administrators a bit more happy… a bit…

To change the port range to f.ex. 43000-43999 you have to enter these four commands:

netsh int ipv4 set dynamicport tcp start=43000 num=1000
netsh int ipv4 set dynamicport udp start=43000 num=1000
netsh int ipv6 set dynamicport tcp start=43000 num=1000
netsh int ipv6 set dynamicport udp start=43000 num=1000

Now, reboot your server

To show the current settings:

netsh int ipv4 show dynamicport tcp
netsh int ipv4 show dynamicport udp
netsh int ipv6 show dynamicport tcp
netsh int ipv6 show dynamicport udp

If you still have to use 2003 Server, you have to create some registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ (Key)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Ports ==> 43000-43999 (REG_MULTI_SZ)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\PortsInternetAvailable ==> Y (REG_SZ)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\UseInternetPorts ==> Y (REG_SZ)

And reboot the server

Posted in Firewalls, Security, Windows Server | Tagged , , , , , | Leave a comment

Loopback Group Policy with Security Filtering

Loopback Group Policies are very nice because you can apply a specific user policy if they logon to specified computers (Remote Desktop servers in my case).

But there are two settings you should take care of, or it will not work:

1. Enable “User Group Policy loopback processing”

Create a new OU where you can put in your remote desktop server(s), to which the special user policy should be applied. After you moved the server(s) into this group, create e new policy and create a link to it within the new OU.

Edit the new policy and go to:
Computer Configuration >> Policies >> Administrative Templates >> System >> Group Policy

Now, enable “User Group Policy loopback processing mode” and choose “Merge” as mode. If you want to completely replace the users policy, you can use “Replace”, but for most cases, merge should be fine.

2. Adjust Security Filtering

If you leave the default “Authenticated Users” for security filtering, you will run into the problem that the user policy is applied to Administrator users too. And that’s definitely not what we want to happen.

Because i have a group for all remote desktop users anyway, i replaced the “Authenticated Users” with my remote desktop users group. But then the policy wasn’t applied anymore…

In this case you also have to add the remote desktop server (or a group with all RDSs) to the “Security Filtering” list to give them permissions to access the policy. thats because the policy initially is a computer, and not a user policy.

Posted in Group Policy, Windows Server | Tagged , , , , | Leave a comment

Quick tip: Never forget sysprep…

I ran into a problem where duplicate SIDs existed and caused a lot of problems, because i have cloned a base installation of Windows 2008 R2 server.

Not a good idea if the Domain Controller and an Exchange 2010 server have duplicate SIDs.

So, quick tip:
Never, never, never forget to run Sysprep on a cloned machine:

c:\Windows\System32\sysprep\sysprep.exe

NOTE: Don’t forget to check the “Generalize” checkbox, or the SID will not be resetted!)

Posted in Quick tip, Windows Server | Tagged , , , , , | Leave a comment