:: 24-Sep-2000 13:19 (Sunday) ::

I have created a simple program that can be run on Win9x machines to
attempt to remove files associated with this most recent “MSINIT” worm,
as well as the VBS.Network and VBS.NetLog worms). You can download this
utility (with full source) from the following location:
http://www1.distributed.net/~bovine/wormfree.zip

:: 24-Sep-2000 12:51 (Sunday) ::

We have recently discovered that a new infectious worm has recently begun
circulating throughout the Internet and includes a hidden payload of our
dnetc.exe client. We have already discredited all stats credit for that
participant’s email address. As stated by our policies at
http://www.distributed.net/legal/policy.html and by our trojan horse
disclaimer at http://www.distributed.net/trojans.html, performing these
types of malicious activities are not condoned at all and these matters
are aggressively pursued by distributed.net.

This worm propagates by randomly selecting an arbitrary IP address and
attempting to connect to the “C” file share on that machine. If it is
successful in accessing that share, it will copy several files into the
remote machine’s “\WINDOWS\Start Menu\Programs\StartUp\” and
“\WINDOWS\SYSTEM\” directories:

+ MSxxx.EXE ~22016 bytes (size and filename varies slightly)
+ MSCLIENT.EXE 4096 bytes
+ INFO.DLL (text file log of other infected computers)
+ DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214)
+ DNETC.INI (containing the email address bymer@inec.kiev.ua)

Note that the presence of DNETC.EXE and DNETC.INI (but with another email
address) on a computer may potentially represent an authorized installation
of our client software, knowingly done by the owner of the machine, so it
not reasonable to indiscriminately delete all instances of those filenames
should you find them.

Please note that the MSxxx.EXE file will vary slightly and will contain
the first numerical component of your computer’s IP address and possibly
a few extra characters. For example, the following filenames have been
encountered: MS216.EXE, MSI216.EXE, MSI211.EXE. It has been discovered
that some instances of this worm’s file is secondarily infected with the
FunLove.4099 virus, so the filesize may be slightly larger that 22016
bytes if so.

Additionally, as a part of the infection, the following line may be added
to the remote computer’s \WINDOWS\WIN.INI file:

load=c:\windows\system\msxxx.exe (filename varies)

Once either of the first two EXEs have executed once, under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key,
the following registry value may be added:

MSINIT=c:\windows\system\msxxx.exe (filename varies)

Since the worm also executes “dnetc.exe -hide -install”, there will also
be the addition of another registry value to automatically start the client
as well. Note that the existence of that other registry value in itself
may not necessarily imply an unauthorized installation of our software by
the worm, such as if the owner of the machine had legitimately installed
our client software.

The propagation of this worm is possible solely because many Win9x computer
owners unknowingly choose to share their entire hard drives un-passworded
and with full read/write control granted. Readers are encouraged to warn
others about the dangers of sharing directories (and full hard disks)
without strong passwords.

:: 23-Sep-2000 04:14 (Saturday) ::

OGR progress report:

As of 23:59 22-sept-2000 there were 2,264,082 unique OGR-25 stubs returned,
out of 12,207,683, or 14.89% complete

As of 23:59 22-sept-2000 all but 7 unique OGR-24 stubs had been returned
and about 49% had valid pass-2 returns

:: 20-Sep-2000 21:41 (Wednesday) ::

Something got botched when I re-ran OGR stats for 9/18, so I’ll be
re-running them again. }:8/

:: 19-Sep-2000 19:52 (Tuesday) ::

Stats will be late again today :( The automation got a bit cowfused last
night, so I had to manually start the run, and I didn’t notice the problem
until 1000GMT or so. The problem with that is stats take a *very* long
time to run when they are competing with users for disk/CPU, so they take
forever when they run during the day. If they don’t finish soon, I’ll shut
off apache for a while so that they can finish.

Sorry for the inconvenience.

:: 18-Sep-2000 19:01 (Monday) ::

The RC5 statsrun didn’t happen last night due to a problem with the
automated log transfer. I’ll start them running in a few minutes. Sorry
for the inconvenience.

:: 18-Sep-2000 00:58 (Monday) ::

There have been a couple of new utilities added to the third-party addons
page, including:

Ovine by Julius Welby. A python script that allows people (such as those
who use the email fetch@distributed.net gateway) to automatically swap
in other in-buffers when the client exhausts its current one.

PM by Spirin Timofey. A Win32 utility to process proxy console logs,
allowing you to monitor the buffer levels and last-update times of all
connecting clients.

You can find links to those utilities (and more) on our third-party addons
page at http://www.distributed.net/download/addon.html

I’ve also finished some minor reorganization of the text on the front
distributed.net web page, the ogr contest page, the rc5 contest page, and
the client download pages. Most of the changes I’ve made have been in
the interest in trying to improve the readability of the pages to someone
visiting those pages for the first time.

:: 16-Sep-2000 15:19 (Saturday) ::

A new Java Log Visualizer version has been released, with the help of
Stanley Appel, who contributed a bunch of code to enable it to plot multiple
contests simultaneously in different colors. You can see a cute screenshot
at http://www1.distributed.net/~bovine/javavis14.png or you can download
it (along with full Java source) from the source page at
http://www.distributed.net/source/

:: 14-Sep-2000 01:45 (Thursday) ::

The Following Personal Proxies have been placed for pre-release:

– Windows 95/98/NT/2000 [x86] v319c 2000-09-14

– FreeBSD [x86] v319c 2000-09-14

– Linux [x86/unified] v319c 2000-09-14

The Pre-Release Page can be found at:

http://www.distributed.net/download/prerelease.html

Please remember to report bugs at http://www.distributed.net/bugs/

Enjoy!

:: 11-Sep-2000 01:42 (Monday) ::

OGR progress report:

As of 23:59 09-sept-2000 there were 1,411,351 unique OGR-25 stubs
returned, out of 12,207,683, or 9.28% complete

As of 23:59 09-sept-2000 all but 11 unique OGR-24 stubs had been returned
and about 48% had valid pass-2 returns