Can MS update alerts be spoofed?

Does anyone know if update alerts went out today for Windows 2000 users?

I saw what looked like the usual Windows Update alert icon in the lower
right corner of my screen this morning and blindly told it to go ahead and
do its update. After that the computer slowed to a crawl.

I ran Ad Aware. No problems with spyware. All my anti-virus definitions
are up to date.

I went to the Windows Update page and checked my history of updates and the
last update listed was in mid-October. So I downloaded an optional update
that I had been putting off and rechecked my history. Sure enough, the
optional download showed up, but not the earlier "update" that I had
downloaded this morning.

So what in the hell did I download this morning? It doesn't show up in my
MS history of updates. Has this happened to anyone else? Can these alerts
be spoofed and have I been tricked into downloading some kind of malware?

One other thing that might have bearing on this: After "updating" I got a
ZoneAlarm popup alert saying that COM Surrogate wanted access permission.
When I clicked on 'info' ZoneLabs informed me that a "known malicious
program was trying to connect to the internet," and that I should deny it
permission, which I did. The hitch according to ZoneLabs is that COM
Surrogate (dllhost.exe) is also a legitimate MS program.

Luckily, ZoneLabs tells you how to tell the difference between the legit
program and the worm. After reading thru that info, I'm pretty sure I don't
have the worm. However, something is slowing the computer way down, so I
denied COM Surrogate permission anyway.

That seemed to solve the problem. But still I think something's wrong. Why
does a legitimate program suddenly decide to slow my computer down to an
unbelievable crawl and, second, what did I download this morning? Can these
alerts be spoofed?

Thanks, and sorry about the length of this post!

Jack Dragon wrote:

> Does anyone know if update alerts went out today for Windows 2000 users?
>
> I saw what looked like the usual Windows Update alert icon in the lower
> right corner of my screen this morning and blindly told it to go ahead
> and do its update.
Hi

If you launched it from the system try I doubt it was a spoof.

As the critical update MS04-040/889293 was released yesterday,
I would guess that it was that one that installed.

To check if MS04-040/889293 is installed:

See the "Verifying Update Installation" section under
"General Information" \ "Security Update Information" \
"Internet Explorer 6 SP1 for Windows XP Service Pack 1
and Windows 2000 (all versions)" at

http://www.microsoft.com/technet/sec.../ms04-038.mspx


Check out the "File Version Verification" and "Registry Key
Verification" part.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Thanks! Everything checks out for a MS04-040/889293 installation as to
filename, date, time, version and size. And the second registry key given
had the required DWORD value.

The url you gave me was a little off, but that's okay because I was able to
find the right one and everything checks out.

Thanks again! Handy page. Bookmarked. :-)

"Torgeir Bakken (MVP)" <Torgeir.Bakken-> wrote in message
news:...
> Jack Dragon wrote:
>
> > Does anyone know if update alerts went out today for Windows 2000 users?
> >
> > I saw what looked like the usual Windows Update alert icon in the lower
> > right corner of my screen this morning and blindly told it to go ahead
> > and do its update.
> Hi
>
> If you launched it from the system try I doubt it was a spoof.
>
> As the critical update MS04-040/889293 was released yesterday,
> I would guess that it was that one that installed.
>
> To check if MS04-040/889293 is installed:
>
> See the "Verifying Update Installation" section under
> "General Information" \ "Security Update Information" \
> "Internet Explorer 6 SP1 for Windows XP Service Pack 1
> and Windows 2000 (all versions)" at
>
> http://www.microsoft.com/technet/sec.../ms04-038.mspx
>
>
> Check out the "File Version Verification" and "Registry Key
> Verification" part.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scr...r/default.mspx

Jack Dragon wrote:

> "Torgeir Bakken (MVP)" <Torgeir.Bakken-> wrote:
>
>>If you launched it from the system try I doubt it was a spoof.
>>
>>As the critical update MS04-040/889293 was released yesterday,
>>I would guess that it was that one that installed.
>>
>>To check if MS04-040/889293 is installed:
>>
>>See the "Verifying Update Installation" section under
>>"General Information" \ "Security Update Information" \
>>"Internet Explorer 6 SP1 for Windows XP Service Pack 1
>>and Windows 2000 (all versions)" at
>>
>>http://www.microsoft.com/technet/sec.../ms04-038.mspx
>
> Thanks! Everything checks out for a MS04-040/889293 installation
> as to filename, date, time, version and size. And the second
> registry key given had the required DWORD value.
>
> The url you gave me was a little off, but that's okay because I was
> able to find the right one and everything checks out.


Duh, a copy, paste, and then forget to update error.

The correct URL is of course
http://www.microsoft.com/technet/sec.../ms04-040.mspx

Glad it checked out for you :-)


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx