Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-15-2008, 05:31 AM
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.
I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would receive
a PERMISSION DENIED pop-up when accessing a folder on the server which they
could not browse nor write a file into... but then the write operation
(folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
did find some Vista-specific suggested updates for the SBS 2003 R2 server to
support Vista clients... and this resolved the problem! Yikes! These
should have been MANDATORY REQUIRED updates... as I fear some SBS servers
out there may have been compromised by new Vista clients on their network.
Anyhow... I digress. A few weeks later in May, the user received an email
that they should not have opened... and the anti-virus software detected it
and quarantined the virus. All seemed okay... except after a few days the
Internet connection was saturated... even when no one was using the
computers in the office. Further investigation of the firewall (Cisco 871W
router) showed a lot of traffic coming from the Vista client computer. I
looked at the PC and the network status icon showed no status/traffic. So
I disabled the network interface. The outbound SPAM being sent stopped
going through the firewall... and then again 5 minutes later... started
again. Looking at the Vista client again... the network connection was
DISABLED... but sending out traffic! UAC was enabled... how could the
system enable the network connection and send out SPAM? I tested this and
ensured no other devices were on the network. I soon discovered that the
SBS server was doing the same thing! I ran different vendor's anti-virus
tools and scans... nothing was discovered. I found that I physically had
to disconnect the cabling to prevent the SPAM from going out... disabling
the network interface was not enough. I was curious why the Cisco router
was being hammered so much... and then turned off SPI (stateful packet
inspection)... this seemed to keep the Internet connection stable. What
I didn't tell you was that is ISP turned off the Internet connection due to
the SPAMing from our network... and wouldn't re-enable until the problem was
I ended up formatting and re-installing both systems as they were relatively
new installs and I wanted a clean installation. To date I have not seen
this problem again.
Any ideas as to what might have caused this behaviour?
I see there are ways to disable UAC from window menus and command line (see
MSCONFIG tool!)... but they normally require a system re-boot. In this
case, it was turned off and on at will... and appeared normal if the user
used the computer. But behind the scenes, controlled the NIC on the Vista
Has anyone seen this? Is it a known problem? Has it been resolved?