Windows zero day nightmare exploited

[byte]

F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.

Full article and source

[sn00pie]

NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this?

[RootWind]

NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this?

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

[mAcOdIn Veteran]

Alot of spyware is being classified as trojans now by alot of AV's, and to be fair they do ehibit some trojan behavior, so it was probably spyware of some sort.

[bush]

sounds pretty creepy. but using irfanview and firefox is it that serious?

[madnuke]

Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours?

[mAcOdIn Veteran]

sounds pretty creepy. but using irfanview and firefox is it that serious?

Well using firefox it sounds like you'd have to accept to download the file and then view it in IE or explorer, so I'd say the chances of getting infected via firefox is slim for most of us as we wouldn't accept a download at random.

[RootWind]

Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours?

Well it's been spreading in the last 24 hours apparently. It's not really an "attack" where someone is actively attacking something, but you still need to make the user do something (go to a website).

Edit: Well that's interesting. I guess McAfee VS Enterprise is pretty useful since it is able to block it with its Buffer Overflow protection. Does anyone know if the buffer overflow protection from AMD and Intel do anything?

Edited December 28, 2005 by DefensiveCore

[yodat]

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

Yes, NOD32 detects the malwares which uses this exploit from update 1.1342.

http://www.wilderssecurity.com/showthread.php?t=113132

[+Elі Subscriber²]

Yes this is out in the open as we speak, I have seen three computers already infected by This in the last two days, The previous link will just take you to a page where you can view information on the exploit, It's REALLY nasty and spreading quickly, ANY XP machine fully patched can get instantly infected if you just view a website containing the exploint while using Internet Explorer.

I have also explained how to remove one of the variants of this exploit Here

Edited December 28, 2005 by Ely

[madnuke]

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

[RootWind]

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

Looks like almost every AV has an update for it already.

[TimRogers]

Does anyone have the sample code, I'd like to have a look at it, and then I might have a hope of working out how to fix it :)

[Korben_Dallas]

Why link to the INQUIRER???

Why not link to F-Secure?

http://www.f-secure.com/weblog/archives/ar...5.html#00000753

[byte]

Why link to the INQUIRER???

Why not link to F-Secure?

http://www.f-secure.com/weblog/archives/ar...5.html#00000753

That link is in the article i posted, so why post it again?

[Ficman]

This one appears to be picking up steam, hold on to your hats fella's this one could be really bad... :wacko:

[Korben_Dallas]

Up to Date Info can be found here:

http://isc.sans.org/

Why post an article? When you can post the real thing?

[BigCheese]

OOOHHHHH!

"Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C."

Yesterday, I went to some dodgy website (using Maxthon), and it kept asking to download some random wmf file. Luckily I didn't.

[+Elі Subscriber²]

It's funny how yesterday you would make a search on this board for SpySheriff and you would get no results, Just make a search for it now and you'll see how fast it's going........ This is a nasty nasty infection.

[chopyaedoff]

blocking access to all WMF files and using Knoppix Linux to visit untrustworthy sites.

[madnuke]

This is looking partically nasty and time consuming to us PC techs, I think its going to be best to format untill there is some easy removal tool or Microsoft patchs it as most normal savy pc users wont know about this, half of them wont even know what a a .wmf is.

[+Elі Subscriber²]

Here is a video on how this thing behaves one you are infected, telling by the info so far it looks like there's lots of different variants of it, it always works using different antyspyware hoax programs:

Video Here

and Here it is a link to the full article with the video.

[+John Teacake MVC]

Is there a way to tell if youve been infected?

[fascist]

yeah, watch the video youll see.

[+John Teacake MVC]

Hey im watching no video. Sorry but you cant be too careful.