byte Posted December 28, 2005 Share Posted December 28, 2005 F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write. Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet. A number of trojans are being distributed using the vulnerability, related to Windows' image rendering. F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft. Full article and source Link to comment Share on other sites More sharing options...
sn00pie Posted December 28, 2005 Share Posted December 28, 2005 NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this? Link to comment Share on other sites More sharing options...
RootWind Posted December 28, 2005 Share Posted December 28, 2005 NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this? Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be). Link to comment Share on other sites More sharing options...
mAcOdIn Veteran Posted December 28, 2005 Veteran Share Posted December 28, 2005 Alot of spyware is being classified as trojans now by alot of AV's, and to be fair they do ehibit some trojan behavior, so it was probably spyware of some sort. Link to comment Share on other sites More sharing options...
bush Posted December 28, 2005 Share Posted December 28, 2005 sounds pretty creepy. but using irfanview and firefox is it that serious? Link to comment Share on other sites More sharing options...
madnuke Posted December 28, 2005 Share Posted December 28, 2005 Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours? Link to comment Share on other sites More sharing options...
mAcOdIn Veteran Posted December 28, 2005 Veteran Share Posted December 28, 2005 sounds pretty creepy. but using irfanview and firefox is it that serious? Well using firefox it sounds like you'd have to accept to download the file and then view it in IE or explorer, so I'd say the chances of getting infected via firefox is slim for most of us as we wouldn't accept a download at random. Link to comment Share on other sites More sharing options...
RootWind Posted December 28, 2005 Share Posted December 28, 2005 (edited) Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours? Well it's been spreading in the last 24 hours apparently. It's not really an "attack" where someone is actively attacking something, but you still need to make the user do something (go to a website). Edit: Well that's interesting. I guess McAfee VS Enterprise is pretty useful since it is able to block it with its Buffer Overflow protection. Does anyone know if the buffer overflow protection from AMD and Intel do anything? Edited December 28, 2005 by DefensiveCore Link to comment Share on other sites More sharing options...
yodat Posted December 28, 2005 Share Posted December 28, 2005 Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be). Yes, NOD32 detects the malwares which uses this exploit from update 1.1342. http://www.wilderssecurity.com/showthread.php?t=113132 Link to comment Share on other sites More sharing options...
+Elі Subscriber² Posted December 28, 2005 Subscriber² Share Posted December 28, 2005 (edited) Yes this is out in the open as we speak, I have seen three computers already infected by This in the last two days, The previous link will just take you to a page where you can view information on the exploit, It's REALLY nasty and spreading quickly, ANY XP machine fully patched can get instantly infected if you just view a website containing the exploint while using Internet Explorer. I have also explained how to remove one of the variants of this exploit Here Edited December 28, 2005 by Ely Link to comment Share on other sites More sharing options...
madnuke Posted December 28, 2005 Share Posted December 28, 2005 Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it. Link to comment Share on other sites More sharing options...
RootWind Posted December 28, 2005 Share Posted December 28, 2005 Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it. Looks like almost every AV has an update for it already. Link to comment Share on other sites More sharing options...
TimRogers Posted December 28, 2005 Share Posted December 28, 2005 Does anyone have the sample code, I'd like to have a look at it, and then I might have a hope of working out how to fix it :) Link to comment Share on other sites More sharing options...
Korben_Dallas Posted December 28, 2005 Share Posted December 28, 2005 Why link to the INQUIRER??? Why not link to F-Secure? http://www.f-secure.com/weblog/archives/ar...5.html#00000753 Link to comment Share on other sites More sharing options...
byte Posted December 28, 2005 Author Share Posted December 28, 2005 Why link to the INQUIRER??? Why not link to F-Secure? http://www.f-secure.com/weblog/archives/ar...5.html#00000753 That link is in the article i posted, so why post it again? Link to comment Share on other sites More sharing options...
Ficman Posted December 28, 2005 Share Posted December 28, 2005 This one appears to be picking up steam, hold on to your hats fella's this one could be really bad... :wacko: Link to comment Share on other sites More sharing options...
Korben_Dallas Posted December 28, 2005 Share Posted December 28, 2005 Up to Date Info can be found here: http://isc.sans.org/ Why post an article? When you can post the real thing? Link to comment Share on other sites More sharing options...
BigCheese Posted December 28, 2005 Share Posted December 28, 2005 OOOHHHHH! "Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C." Yesterday, I went to some dodgy website (using Maxthon), and it kept asking to download some random wmf file. Luckily I didn't. Link to comment Share on other sites More sharing options...
+Elі Subscriber² Posted December 28, 2005 Subscriber² Share Posted December 28, 2005 It's funny how yesterday you would make a search on this board for SpySheriff and you would get no results, Just make a search for it now and you'll see how fast it's going........ This is a nasty nasty infection. Link to comment Share on other sites More sharing options...
chopyaedoff Posted December 28, 2005 Share Posted December 28, 2005 blocking access to all WMF files and using Knoppix Linux to visit untrustworthy sites. Link to comment Share on other sites More sharing options...
madnuke Posted December 28, 2005 Share Posted December 28, 2005 This is looking partically nasty and time consuming to us PC techs, I think its going to be best to format untill there is some easy removal tool or Microsoft patchs it as most normal savy pc users wont know about this, half of them wont even know what a a .wmf is. Link to comment Share on other sites More sharing options...
+Elі Subscriber² Posted December 28, 2005 Subscriber² Share Posted December 28, 2005 Here is a video on how this thing behaves one you are infected, telling by the info so far it looks like there's lots of different variants of it, it always works using different antyspyware hoax programs: Video Here and Here it is a link to the full article with the video. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted December 28, 2005 MVC Share Posted December 28, 2005 Is there a way to tell if youve been infected? Link to comment Share on other sites More sharing options...
fascist Posted December 28, 2005 Share Posted December 28, 2005 yeah, watch the video youll see. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted December 28, 2005 MVC Share Posted December 28, 2005 Hey im watching no video. Sorry but you cant be too careful. Link to comment Share on other sites More sharing options...
Recommended Posts