Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Experienced

byte

Posted
Posted

F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.

Full article and source

Link to comment
https://www.neowin.net/forum/topic/413457-windows-zero-day-nightmare-exploited/
Share on other sites
Mentor

RootWind

Posted
Posted

NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this?

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

Grand Master

mAcOdIn Veteran

Posted
  • Veteran
Posted

sounds pretty creepy. but using irfanview and firefox is it that serious?

Well using firefox it sounds like you'd have to accept to download the file and then view it in IE or explorer, so I'd say the chances of getting infected via firefox is slim for most of us as we wouldn't accept a download at random.

Mentor

RootWind

Posted
Posted (edited)

Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours?

Well it's been spreading in the last 24 hours apparently. It's not really an "attack" where someone is actively attacking something, but you still need to make the user do something (go to a website).

Edit: Well that's interesting. I guess McAfee VS Enterprise is pretty useful since it is able to block it with its Buffer Overflow protection. Does anyone know if the buffer overflow protection from AMD and Intel do anything?

Edited by DefensiveCore
Proficient

yodat

Posted
Posted

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

Yes, NOD32 detects the malwares which uses this exploit from update 1.1342.

http://www.wilderssecurity.com/showthread.php?t=113132

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted (edited)

Yes this is out in the open as we speak, I have seen three computers already infected by This in the last two days, The previous link will just take you to a page where you can view information on the exploit, It's REALLY nasty and spreading quickly, ANY XP machine fully patched can get instantly infected if you just view a website containing the exploint while using Internet Explorer.

I have also explained how to remove one of the variants of this exploit Here

Edited by Ely
Mentor

madnuke

Posted
Posted

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

Mentor

RootWind

Posted
Posted

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

Looks like almost every AV has an update for it already.

Mentor

BigCheese

Posted
Posted

OOOHHHHH!

"Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C."

Yesterday, I went to some dodgy website (using Maxthon), and it kept asking to download some random wmf file. Luckily I didn't.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

It's funny how yesterday you would make a search on this board for SpySheriff and you would get no results, Just make a search for it now and you'll see how fast it's going........ This is a nasty nasty infection.

Mentor

madnuke

Posted
Posted

This is looking partically nasty and time consuming to us PC techs, I think its going to be best to format untill there is some easy removal tool or Microsoft patchs it as most normal savy pc users wont know about this, half of them wont even know what a a .wmf is.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Here is a video on how this thing behaves one you are infected, telling by the info so far it looks like there's lots of different variants of it, it always works using different antyspyware hoax programs:

Video Here

and Here it is a link to the full article with the video.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Sandboxie Plus 1.17.8 / Classic 5.72.8

      By Copernic · Posted

      Sandboxie Plus 1.17.8 / Classic 5.72.8 by Razvan Serea Run programs in a sandbox to prevent malware from making permanent changes to your PC. Sandboxie allows you to run your browser, or any other program, so that all changes that result from the usage are kept in a sandbox environment, which can then be deleted later. Sandboxie is a sandbox-based isolation software for 32- and 64-bit Windows NT-based operating systems. It is being developed by David Xanatos since it became open source, before that it was developed by Sophos (which acquired it from Invincea, which acquired it earlier from the original author Ronen Tzur). It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing. Sandboxie is available in two flavors Plus and Classic. Both have the same core components, this means they have the same level of security and compatibility. What's different is the user interface the Plus build has a modern Qt based UI which supports all new features that have been added since the project went open source. The Classic build has the old no longer developed MFC based UI, hence it lacks support for modern features, these features can however still be used when manually configured in the Sandboxie.ini. Sandboxie Plus 1.17.8 / Classic 5.72.8 release notes: Added added DisableCustomTitleOpt=[process,][y|n] to allow [#] sandboxie title markers on custom-titlebar windows (Delphi VCL, Qt, Electron) that were previously skipped to prevent DWM repaint CPU loops #5387 Changed updated bundled ImDisk driver to 3.0.2 #5419 Fixed fix Suppress logs for expected non-user SIDs #5422 SbieSvc.exe: SBIE2218/2219 error when run program as administrator #5417 fixed explorer.exe crashes in Application Compartment when Huorong Security is installed #5423 Download: Sandboxie Plus (64-bit) | 23.5 MB (Open Source) Download: Sandboxie Classic (64-bit) | 3.0 MB Links: Sandboxie Website | GitHub | ARM64 | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • what other retro software do yall use

      By goretsky · Posted

      Hello, Christian Maas' XVI32 is a nice (and very small) hex editor. Speaking of hex editors, many years ago a colleague and I who both worked at Tribal Voice managed to edit a copy of the company's PowWow instant messaging client to make it behave better now that all of its lookup servers and other server-side tech was gone.  The program didn't support NAT (RFC-3022 was introduced in January 2001, the same time Tribal Voice was shuttered), but it still worked okay if you manually set up port-forwarding on your router.  The server at http://powwow.jazy.net/ hosts a copy (usual warnings about downloading and running untrusted code from random internet servers apply). I occasionally use some tools like Funduc Software's Search and Replace and Application Mover when I need to make mass-edits to text-based files or move programs with a hard-coded installation directories, respectively.  When I need to figure out the exact LCD panel inside of a laptop, EnTech Taiwan's Monitor Asset Manager is my go-to tool for that purpose. JD Design's website (now hosted on github.io) has a number of interesting freeware and shareware utilities.  I used to use their TouchPro utility to set the file timestamps on software I was mastering to match its version number (e.g., version 3.00 of a program had all of its files dates set to 3:00AM, and so forth). Karenware has a number of interesting freeware utilities, too. Regards, Aryeh Goretsky  
    • what other retro software do yall use

      By Steven P. · Posted

      I still use HexChat! Not really as ancient as the 1994 AutoCAD above my post, but I have never found anything better to replace it. Yes we still operate an IRC server https://www.neowin.net/irc/ 😛 
    • what other retro software do yall use

      By +InsaneNutter · Posted

      At work we still have a couple of people that use a version of AutoCAD LT purchased in 1994. This predates Windows 95 and works fine on versions of Windows up to XP. Its long since run in an locked down isolated XP VM, accessible via RDP. I did install LibreCAD for them, however they said it was just too different to get to grips with. In all fairness one of them is now 75 and the other is almost 60.
    • what other retro software do yall use

      By He's Dead Jim · Posted

      On my music making (non internet) PC Sony Acid Pro 7.0 Adobe Audition 2015 Korg Legacy Collection Windows 7 SP1

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      509
    2. 2
      +Edouard
      198
    3. 3
      PsYcHoKiLLa
      138
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      82
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!