Yesterday I installed Microsoft Windows XP Professional. Did I pay for it? No, I didn’t. But I bought their Home edition of the same OS. Well, actually, I really didn’t have any choice, it came with my computer. And XP Home didn’t work very well, as I told you yesterday and the day before that. So, if they can’t sell me a piece of software that works properly, I’ll just have to steal one that does.
I realize that if you take the same logic and talk about other things, like for instance cars, it sounds a little bit far out: “Your economy car just broke down, so I’ll just steal your luxury model”. But XP ain’t like a car. Cars don’t get worms. XP does.
After having installed XP and downloaded a butt load of critical updates, I went home and set up my laptop just to check if I’d been able to install and configure the WLAN card correctly. I had, indeed, and everything worked fine. I also noticed that there was constant upload activity on the network card, and that was a tad strange, since I wasn’t really doing anything. A tiny program called DLLHOST.EXE was hammering the network, and I kinda wondered why the hell it was doing just that. A quick search on Google showed that the program is “the DCOM DLL Host process supports DLL based COM objects and is used by many Windows programs.” So, no worries, then, it’s just Microsoft sending some packages back to Redmond, probably a few passwords, bank account numbers and things like that. But we trust Microsoft, don’t we?
I really didn’t care much about it until I got home this evening. The process was still going wild, stealing almost all of my upload capacity. So, I downloaded and installed ZoneAlarm (free application, if you don’t have it installed, you should do it now) to try to figure out what the little bugger really was up to.
Hey, it’s scanning the IP range of my local network. Well, that’s kind of interesting, isn’t it? Click, click, click. DLLHOST.EXE traffic blocked.
A quick scan with AVG Anti-Viris revealed that DLLHOST.EXE wasn’t a Microsoft thingy after all, it was the W32/Nachi.A worm working the graveyard shift. It was able to infiltrate my computer through one of two vulnerabilities in XP. But how could this have happened? I’m constantly installing security patches. And I’ve got the two critical updates fixing the vulnerabilities installed on my laptop. The answer is quite simple: For about an hour when I was installing Windows, I was wide open for attack, having no updates installed.
One hour was all it took and I was infected. Yay for Microsoft! Again!