Spyware Sucks

Ferrari 5000 - the first few days

Repeat disclosure: This article is about one of the Ferrari 5000's sent to Hive Featured Community owners and bloggers by AMD and Microsoft.

The Ferrari 5000 is a beautiful machine, and for somebody like me who is used to lower end hardware feels quite luxurious.  There's not a wobbly button or rough edge to be seen.  Unlike my other laptop, a lower end HP nx6120 which has had more than its fair share of problems, everything feels solid and well made on the Ferrari.  The lid and lid hinges feel tight and solid and the touchpad's buttons have a nice resistance to pressure (unlike the wobbly plastic buttons on my HP).  The casing is a very durable and beautifully finished carbon fibre, and the primary work suface has a lovely soft touch coating.  The bluetooth mouse has been given the same soft touch treatment.

Anyway, as they say, beauty is only skin deep and a gorgeous, glossy casing and quality finish only gets you so far, even with the special red cloth for removing the inevitable fingerprints .  

There will be plenty of other sites that concentrate on hardware specs and games performance, so let's look at how things go once the new car smell wears off and we get to work.  First off, the Ferrari 5000 runs hot, and I mean HOT - so hot that the bluetooth mouse, which was sitting more than 15 centimetres away from the air vent on the right hand side of the Ferrari was quite warm to touch, and I became concerned that the varnish on my wooden furniture would be damaged by the heat being generated.  There is little in the way of air vents on the bottom of the Ferrari 5000, and this machine is in serious need of cooling and better airflow, which it doesn't get.  I ended up purchasing a Targus Chill Mat.  The Ferrari is running a bit cooler now thanks to the increased airflow from the two fans in the Chill Mat, but this is still not a machine that I would leave running unattended overnight like I did with my old laptop.

The screen is a glossy CrystalBrite and is quite reflective, meaning that if you sit with your back to a window, you may have problems with reflections.  Display resolution is set to the maximum of 1650 x 1080 making everything quite sharp, but also small.  The screen reflections combined with the very high resolution led to me having a killer headache after the first day of use.

The Acer Voice Connection Manager for the VOIP phone kept crashing.  Repairing the software via add/remove programs resolved that problem. Also, the bluetooth mouse stopped working a few times.  Removing the mouse via the bluetooth hardware manager, then allowing it to be reinstalled, seems to have fixed that problem.

The Ferrari arrived in time for me to take it with me to Las Vegas, and there's nothing like getting out of the comfort of home to put a machine through its paces.  So far, things are going well.  The improved wireless security is comforting.  When a new network is detected, the user is prompted to select from one of three security profiles - home (private), work (private) and public.  Network discovery is automatically disabled for public networks which means that other computers sharing the same network cannot see your computer, and you cannot see them.

So far Vista has coped quite well with the sites and networks encountered.  T.Mobile's wireless service worked beautifully.  Cox Hospitality's wireless and wired hotel-based service proved to be problematic, but I suspect the problem is at Cox's end, not with Vista itself.  My system would connect, and receive an IP address, but "network errors" prevented me from being able to finalise the wireless log-in and start surfing.  Turning on network discovery got wireless going the first time (which I then turned off as soon as all was working) but when I woke up this morning and went to check my email the wireless was no longer working and I couldn't get it going.  I'm working using a wired connection now - fingers crossed it doesn't die too. 

Unfortunately, I could not get my CDMA wireless broadband working while I was still in Australia because the drivers for the Maxon Minimax USB CDMA modem are not compatible with Vista, and I could not get them to install.  When I go bush in Australia I am going to have to use my old HP laptop for internet access because, apparently, there will not be any Vista support for the CDMA Minimax

So far there's only one other thing (apart from the heat it generates) that I don't like about the Ferrari - the speakers are terrible.  My previous machine, the nx6120, sounds much better than the Ferrari.  When I travel I rarely watch TV, preferring to use the music stored on my laptop for background noise, but the quality of playback in the Ferrari is not very good at all.  I think I'm going to have to go out and get some speakers.

Overall I've been very happy with my move to Vista and the Ferrari laptop, but would be happier if I could get my Minimax working.

It's Showtime video - advanced malware cleaning

I haven't had a chance to watch this video yet, and don't know high level the information will be, but have high hopes about the content - Mark really knows his stuff  

Advanced Malware Cleaning
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=359
Mark Russinovich, Technical Fellow, Platform and Services Division, Microsoft

Yes, Sandi got a Ferrari too

Some of the regular readers of my blog will have seen the brouhaha that has been brewing at Robert Scoble's blog, istartedsomething, slashdot, and several other sites about various site owners and bloggers receiving a Ferrari 1000, Ferrari 5000 or Media Centre PC thanks to the collaborative efforts of AMD, Velocity Micro and Microsoft.

I also received one of the AMD/Microsoft supplied Ferrari 5000's today, delivered by DHL.  Why did I receive one?  Well, IE-VISTA has been a Featured Community at, and Sponsor of, The Hive for a while now.  My other web site,  Sandi's Site is/was also an Internet Explorer ExpertZone Featured Community (ExpertZone Featured Communities later moving over to The Hive) and it is because of my sites' Featured Community status that I was lucky enough to receive a laptop. 

Ok, so before we get into the nitty gritty of working with the Ferrari 5000, I should address the inevitable question that will be posed by some visitors who find this blog post - will Sandi be returning the laptop?

Edit:  Just like other recipients, I was given the choice of gifting the laptop, returning it to Microsoft, or keeping it.  Originally in this blog post I said I was going to keep the laptop, then I started seeing reports that some bloggers are receiving emails asking that the laptop be returned.  Now I am undecided. 

To be honest, I'm angry about the whole debacle.  Samples, gifting and "loaning" of hardware has been around for years and I can't avoid the feeling that things should not change to suit the unjustified flaming of a few strangers that have never read my blog, and assuming they even find my blog, will disappear never to return as soon as something else interesting happens? 

Yes, some got a bee in their bonnets about a lack of disclosure, and I can understand why a lack of disclosure is a problem, and I agree that disclosure is important, but why should recipients no longer be able to keep the laptops or media centers because of a problem in some quarters with 'right-from-the-start' disclosure? 

Does MS believe that the flamers will speak any better of the bloggers they have attacked if the bloggers are told to return the units instead of being given the choice?  The flamers are simply going to say that nothing has changed because the return was not voluntary.  And, what about the bloggers who made full disclosure? Will the flamers turn around and say "oh, but they shouldn't lose the laptops because they were honest"?

In the end, what does or doesn't happen will be between me and MS, not between me and some troublemakers who are jumping from blog to blog posting criticisms - blogs that you can bet they had not visited before then.  If that means I lose such troublemakers as readers then so be it   End edit.

IE-VISTA, as my regular readers know, specialises in supporting users of IE7 and gets thousands of hits every day but there is currently little in the way of content about IE7 on Windows Vista simply because I have not been able to run Vista on a PC for a useful period of time. 

My primary laptop (an nx6120) cannot run Windows Vista (believe me, I tried to get it to install, and failed), nor can my 4+ year old jukebox PC, nor can my old Fujitsu tablet PC.  I was able to get Vista to run on the PC my teenagers share, but only just - it was extremely slow, making working with Vista very difficult.  The PC had a Vista Experience Rating of 1, and there is no Aero, and I don't think its fair to take the kids' PC away from them anyway meaning I had to kick them off whenever I wanted to do something in Vista.  Reality is that if it were not for the Ferrari laptop I would not be able to run Vista for a very long time, and I certainly could not afford a machine that can run Aero.  

At the moment, despite being an Internet Explorer MVP since 1999, I am only able to provide limited support to IE7 users when they are running Windows Vista, but I want to be able to support all users of Internet Explorer, not matter what their operating system may be.  Windows Vista is also going to lead to a fundamental shift in the way that spyware and malware affects (or doesn't affect) users, and I need to get fully familiar with the operating system. 

I want to deep dive into Windows Vista and get as good at helping users of IE on that operating system as I am and have been all the way back to the early days of IE5.  I'll do my tests, write about the laptop and it will be used as my primary machine and used to build up IE-VISTA with Windows Vista specific content and screenshots, and provide technical support to users.  I'll be able to deep dive into IE7 on Vista, with its protected mode, and other security features and behaviour specific to Vista and x64. 

When IE8 builds start appearing, and I (hopefully) get a build or 3, I will have a machine that can run it.  I'd give my current laptop to my daughter who needs one for her 2nd last year of high school, my hubby (whose computer died not long ago and has not been replaced) will struggle along with the slow Tablet PC because he only needs email and a little web browsing, and my son will keep the PC that struggled along with Vista, although I will have to bow to the inevitable and roll back the system to XP - it simply can't cope with the new OS.

So anyway, as you can see from the DHL screenshot at the beginning of this post, I received my Ferrari today, and there have been some challenges.  The Acer software for the VOIP phone kept crashing (I think that fixed that - more tomorrow) and it proved to be challenge to add the laptop to my domain (I run SBS2003 on my server, and extra steps needed to be taken first to allow a Vista PC to be added to the domain at all, then extra steps specific to x64 Vista, and some changes to the way that a PC is added to a domain - more about that tomorrow too).  Also, Windows Update reports a slew of failed updates related to some of the hardware (more about that tomorrow as well).

One thing I will say before I go to bed (its after 11pm here) is that the mouse is not too friendly to a lady with long acrylic nails - I had to use a knife to leverage off the battery cover because the cover is not fingernail friendly, and mouse pointer speed is not consistent between the touch pad and the bluetooth mouse - if I speed things up so that the pointer moves at a comfortable speed when using the bluetooth mouse, it is too slow when using the touchpad, and when I speed it up for touchpad use, its too fast when using the bluetooth - very irritating.

Oh, and for those of you asking why the Ferrari 1000 had a reported rating of 2.8 in this blog post - I think you will find that if the blog owner refreshes the rating by running "Update my score", that the Ferrari 1000's rating will jump to 4.0 or thereabouts - my Ferrari 5000 also showed a rating of 2.8 when first checked, but when I refreshed the assessment it jumped to 4.8.

More later about the Ferrari and my experiences so far...

The goods...

Messenger Plus! hits 14 million active users

Patchou announced today that MP! now has 14 million active users.

Of course, I congratulate Patchou on reaching such a milestone - it is an amazing success for a 'one man band'.

Patchou's announcement about his current active user count is an opportune time to ponder why I've been writing about, and have been so critical of, the sponsor program for so long. 

We don't know how many of the MP! active users are running the Sponsor Program.  We don't know how many of them are running older versions of Windows or IE that are vulnerable to the various tricks that the Winfixer crowd use to infect systems with their malware.  We don't know how many believe the lies or fall for the social engineering tricks that the Winfixer adverts use to frighten and convince users to install the malware.  But we do know this.  Such a large user base is a very juicy target for the bad guys and is why I am, and have been, so determined to get Winfixer and other malware out of the sponsor program advertisements, and why the bad guys are so determined to sneak through and get their ads displayed.

Its been an interesting journey, watching how determined the winfixer gang have been to get their malware on as many machines as possible, and recording the various tricks they use.

As a reminder, CiD have taken steps to try and block Winfixer at the gate by editing the HOSTS file on all machines running the Sponsor Program - its a small step, but an important one.  Unfortunately, I don't know if the CiD have only changed the HOSTS file for MP! users or on all systems that have their software installed - I'm hoping for the latter, but suspect it is the former.
http://msmvps.com/blogs/spywaresucks/archive/2006/12/18/428740.aspx

I'll keep watching the Sponsor Program, even with the HOSTS file in place, because I'm sure the winfixer pushers will try to bypass the new protections, and you can be sure that whatever tricks they use to get past the Sponsor Program defences will also be used elsewhere.

New IE knowledgebase articles

IE6: Error message when Internet Explorer 6 uses a DHTML Edit control: "R6052 pure virtual function call"

http://support.microsoft.com/default.aspx/kb/929068

When you open an Excel 2007 workbook by using Excel Web Access, you are presented with a Security Information dialog box (not yet live)

http://support.microsoft.com/default.aspx/kb/928729

Guess what I saw this morning...

The Messenger Plus! HOSTS file is blocking Winfixer - partially - things didn't get any further than this popup after I clicked on the red x. The next time it appears we'll click on the OK button and see where it takes us...

False positive affecting TrendMicro's online scanner "Housecall" and NitroPDF

If you use NitroPDF and Housecall, watch out.  TrendMicro's online scanner Housecall is labelling a legitimate, and important, file installed by NitroPDF, zeon98.dll, as adware.  NitroPDF, as my regular readers will know, is an Adobe replacement that we've been using on site since we built the new network in June.  Its much cheaper, and faster, than Adobe and the technical support we have received from ArtsPDF is certainly far superior than that offered by Adobe - even *buying* stuff from Adobe has proved difficult at times.

Thankfully Trend's OfficeScan product is not affected by this false positive, meaning I don't have to worry about our locally installed antivirus breaking one of our important business applications.

Those behind Housecall have, in the past, been slow to fix false positives which is always a problem when a programme may break if a file is deleted.  Always be careful when letting antivirus products 'clean' infections - if in doubt, get a second opinion.

Ok, so the problem of winfixer is being addressed.. what did we see advertised tonight?

Overall things have been pretty quiet on the malware front since Circle Distribution pushed out the HOSTS file update the other day - not much more than irritating ring-tone ads, and some casino stuff, and SMS dating. But, that being said, the sponsor program was kind enough to introduce me to pcsecurityshield.com - an illustrious member of the rogue antispyware gallery at Spyware Warrior.

What does Spyware Warrior have to say about pcsecurityshield?
http://www.spywarewarrior.com/rogue_anti-spyware.htm

"False positives work as goad to purchase; poor, misleading scan reporting; deceptive advertising/"scan" on home page; advertises through adware; recruits affiliates through spam; dubious corp. associations; same app as Spyblocs 3.0, MySpyFreePC, iSpyKiller, SamuraiSpy, & Spy Crusher; also from this domain: The Shield 2004, PC Security Shield - (Note: other domains associated w/ Privacy Defender include: clixtrader.net, pcsecuritysheild.com, pcsecuritywall.com, pctoolworks2004.com, pctoolworks2005.com, threatlevel.com)"

Oh,and check out their privacy policy - in it you agree to "receive the PCSecurityshield Shield Alert" where you receive "great offers on products from PCSecurityShield and its partners; security and antivirus news; and computer security tips" (whether such security and antivirus news and computer security tips can be trusted remains to be seen).

Oh, and PCSecurityShield reserve the right to share, barter or sell your information to their partners, but they do promise not to share your financial data (how nice of them).  You agree to receive emails from partners too (aka spam).

PCSecurityShield promises to delete your information upon request, but they don't promise that their 'partners' will stop emailing you, nor can they promise that their 'partners' won't onsell your information even further.

Thankfully there was no attempt to hijack my system as always happens with Winfixer, but that's understandable considering PCSecurityShield is a pay for product - here's my advice - don't pay for PCSecurityShield when there are plenty of reputable products out there - a list of the good guys can be found here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy

Important information re: the Messenger Plus! sponsor program and Winfixer

Over the past 48 hours Circle Development have edited the HOSTS file on machines that are running the Messenger Plus! Sponsor Program to block many Winfixer related URLs.  This one change will go a long way towards protecting Messenger Plus! users from Winfixer malware, not only via the Sponsor Program but also from any other online vector that uses those URLs.  A screenshot of the HOSTS file changes is at the bottom of this post.

If anybody is running the MP! sponsor program, and their HOSTS file has *not* changed, let me know

Patchou has endured a lot of negative publicity over the years, and I think it is only fair that he be complimented and applauded for this attempt to block Winfixer.  It was obvious that Circle Distribution were having real problems stopping malware purveyors from using the Sponsor Program as a conduit to infect users' machines.

I believe that I can also claim a lot of credit for this change.  I've been complaining about the way that Messenger Plus!'s Sponsor Program has been exposing its users to dangers such as Winfixer for a very long time - examples of my complaints include articles on December 17, December 15 and December 12, November 12, June 30, June 26, June 25 and April 7.  If I had not generated so much publicity about the Winfixer problems; if I had not installed the Sponsor Program, tested it, captured screen shots, blogged and complained then the steps to change the HOSTS file would not have occurred when they did, if at all.

I have another observation to make now, that I am sure will result in my being flamed, but so be it.  As a result of my blog posts, and my Web site articles, I have been subject to a lot of criticism, and flaming, by Patchou's supporters over the years - so much so that I ended up giving them the name "Patchou's Posse".  You can see their comments on various pages on this blog, on the Messenger Plus! support forums, the Microsoft's newsgroups and elsewhere.

I have this to say to the MP! supporters who flamed me and my anti-spyware associates over the years for our criticism of Patchou and the Sponsor Program.  If you had spent less time visiting various forums to post comments supporting Patchou, if you had spent less time saying that "it's optional", if you had spent less time flaming people who installed the Sponsor and then complained about the advertisements, and more time focusing on and going after Winfixer, then Messenger Plus!'s millions of users would have been protected far sooner than has been the case.

I will continue watching the Messenger Plus! Sponsor Program to see how things develop.  Will the Winfixer crowd up the ante and work out a way to get around the HOSTS blocking? I think they will.  Watch this space for future developments 

Quote of the Day

"Sometimes something is true even if George Bush believes it", Tom Friedman, Meet the Press, 17 December 2006

The Messenger Plus! Sponsor Program and Winfixer again...

Here we go again... let's add tonight's attempt to infect my machine with Winfixer via the Messenger Plus! sponsor program to the incidents that occurred on December 15 and December 12, November 12, June 30, June 26, June 25 and April 7.

First window - the classic white window and dialogue box:
http://www.ie-vista.com/images/graphi61.jpg

Trend complains:

Drivecleaner aka Winfixer:
http://www.ie-vista.com/images/graphi64.jpg

Unable to download the file - Trend blocks it:

Poetic justice?

Umm, "Duo To A Communication Problem"?

Are you patched? Interesting statistics from Secunia Software Inspector

So, are you patched?  Secunia have released statistics harvested via their new Software Inspector that make interesting reading:
http://secunia.com/blog/4/

Synopsis:

Of the 400,000 detected applications, over 35% were insecure versions. In particular, Secunia have revealed that:

1. 4.12% of IE6 users were insecure.
   
2. 35.47% of Firefox users were running vulnerable versions.
   
3. 13.04% of Opera users are unpatched.
   
4. 53% of Flash 9x users are running vulnerable versions. 
   
5. 6.8% of Skype users are insecure.

The results for Firefox are worrying.  Firefox introduced an auto-update mechanism several versions ago, but it seems that far too many FF users are either running versions that do not have the mechanism, or are not updating (whether it be because they've turned the feature off, their firewall is interfering or the browser is installed but is not being used).

It is unfortunate that the statistics don't include Sun Java, which does not remove old versions when updated.   Up until version 1.5.6 of Sun Java (I think) malware was able to use old, vulnerable versions of Sun Java to infect systems, even if newer versions were installed, and even now old versions can be called under limited circumstances.

The Flash results are worrying.  Macromedia, when it is updated, does not remove old, vulnerable files that are installed.  On some systems I have tested I have found up to three different versions of Flash still installed.  That being said, the existance of flash*.ocx on a system does not necessarily mean that the bad guys can access the file - does anybody know if old versions of Flash can be used by bad guys if later versions are installed (as is/was the case with Sun Java)?

The very low number of vulnerable IE6 users highlights how important, and effective, services such as Microsoft and Windows Update, Automatic Update, WSUS/SMS/SUS are.  Sometimes I wonder if it would be a good idea for Microsoft to offer third party vendors the opportunity to distribute their updates via AU, or at least alert users of AU to the existence of a security update for a third party product.  Services such as Secunia's Software Inspector are an excellent service, but people need to know about them to use them. 

I'd like to encourage Web site owners who have home users as their primary readership to publicise the Secunia service on their sites and blogs.

ASUS servers compromised??

Welcome to the brave new world of "ok, so they're too smart to go to porn sites or open email attachments, so let's hack every server we can get into and get them that way".  Once again we are shown that danger lurks everywhere on the Internet.

I just spotted this - it looks like some ASUS sites were/are infecting visitors with a spyware programe that tries to steal passwords:
http://www.heise-security.co.uk/news/82643

"Asus now appears to be cleaning up its sites. Some have been disinfected already, others remain dangerous. How long the sites have been infected, how many customers are affected and how the malware was able to establish itself on the servers is not yet known. A posting on a Belgian forum from 12th December suggests, however, that the infection has been present for a few days."

It looks like ASUS Taiwan was hit, and several pages that I have tested are displaying a "down for maintenance" message.

Other sites that have infected visitors because their servers have been hacked and which have been mentioned in this blog include CircuitCity, mosets.com, spreadfirefox, Capital City Bank, Wakulla Bank and Premier Bank, msblog and Debian (urls here: http://msmvps.com/blogs/spywaresucks/archive/2006/07/22/105450.aspx)

Remember, just because you only go to "safe" sites and don't download attachments, p0rn or warez does not mean you will not be exposed to risk.  Patch your systems, make sure you install critical and security updates as they are released, and update to Internet Explorer 7.  IE7 has been immune to many exploits that have hit IE6 and earlier.

Edit: Information about the exploit here:
http://isc.sans.org/diary.php?storyid=1948&rss

I'd recommend that you block http://www.yyc8.com/ on your network or add it to your HOSTS file.  You can bet that there are multiple compromised servers out there that all pointed to that domain to retrieve their malware.

New KB article - IE7 - missing options under "settings" in the advanced tab

No options appear under Settings on the Advanced tab of the "Internet Options" dialog box in Windows Internet Explorer 7

http://support.microsoft.com/default.aspx/kb/928849

Messenger Plus! and Winfixer - once again.

I am sick to death of this. I keep seeing Winfixer pushers using the Messenger Plus! Sponsor Program to infect systems with malware.  I keep reporting it to Patchou and/or blogging about it, yet I see it happen again, and again, and again. 

How many times have I complained about malware using the Messenger Plus! Sponsor Program to spread?  Well, I have complained by email and/or via my blog twice this month (December 12 and tonight's entry), November 12, June 30, June 26, June 25 and April 7.  8 months is more than enough time for C2Media / Circle Distribution to clean up their act.

I'm beginning to wonder if the problem really is rogue clients.  I'm also beginning to wonder if Circle Distribution aka C2Media is doing anything when these "rogue clients" are reported. 

I am beginning to suspect that Circle Distribution / C2Media have absolutely no intention of blocking winfixer - maybe they're not willing to give up the money.  Just how hard is it to block drivecleaner.com, or errorsafe, or any of the other malware variants that are being spread around the net the the Messenger Plus! Sponsor Program?

Here is today's attempt to install winfixer on my machine - the screenshots were taken within the last hour:

First blank window and dialogue box:
http://www.ie-vista.com/images/graphi54.jpg

Trend Antivirus alert:

Another alarmist window:

Another Trend alert:

Leading to this malware site:
http://www.ie-vista.com/images/graphi56.jpg

New KB article - IE6 - credentials problem - ISA Server 2006

New Internet Explorer KB articles

The font size of text in HTML form controls does not change when you change the font size of a Web page in Internet Explorer 6 Service Pack 1
http://support.microsoft.com/default.aspx/kb/907316

MS06-072: Cumulative security update for Internet Explorer
http://support.microsoft.com/default.aspx/kb/925454

IE7 - customised versions - lots being released

Yahoo was first - even going live before Microsoft - naughty Yahoo:
http://downloads.yahoo.com/internetexplorer/index.php

Google has got one too (and got in trouble for copying Yahoo's download page):
http://www.google.com/toolbar/ie7/

USAtoday has one:
http://www.usatoday.com/marketing/ie7/download.htm

The IE blog notes that Webde has one as well (darn, my German is rusty - time to hit the textbooks again):
https://www1.produkte.web.de/browser/?mc=suche@web@smartinfo@browser.produkte@browser

There are rumblings of discontent about Google releasing a version of IE7 to the world - after all, Google have always been Firefox supporters... oh, the betrayal

IE7 update - fix for Phishing filter

This update is not for Windows Vista and resolves a performance issue affecting the Phishing Filter.  It is available at the appropriate URL listed below and should be installed if you are running XPSP2 or Windows Server 2003. 

The related KB article is here:
http://support.microsoft.com/kb/928089

XPSP2 x86
http://www.microsoft.com/downloads/details.aspx?FamilyId=EF6EA470-D51C-4BE5-A15B-74430E9E2AD4&displaylang=en

XPSP2 x64
http://www.microsoft.com/downloads/details.aspx?FamilyId=CC377A51-99BE-425C-BCD5-D2F56E5D1BDC&displaylang=en

Windows Server 2003 SP1 x86
http://www.microsoft.com/downloads/details.aspx?FamilyId=A14B87F9-D857-49F0-8D8F-E91B5609631F&displaylang=en

Windows Server 2003 SP1 x64
http://www.microsoft.com/downloads/details.aspx?FamilyId=403C03CF-3765-45B9-89CA-1604379077DC&displaylang=en

Windows Server 2003 SP1 itanium:
http://www.microsoft.com/downloads/details.aspx?FamilyId=95AF0306-810B-453E-B217-073AB1C52F70&displaylang=en