Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Mentor

madnuke

Posted
Posted

LOL its perfectly safe its off a Security based website, I would'nt be worried, this should proberly go on the main page because of how serious this is and to warn as many people as possible.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Sawyer12 the video above is from a trusted site, it contains nothing, still if you don't want to watch it I can tell you that if you are infected you ll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan, At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

spyware_warning.png

That's what you will see on your system tray too if you are infected.

Mentor

madnuke

Posted
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong. Seems ok with websites this will proberly block WMF/EMF which is good. And the good thing is you can unregister and register the DLL.

http://www.microsoft.com/resources/documen...s/regsvr32.mspx

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong.

Could you elaborate more on that? where did you get that info from? thanks.

Mentor

madnuke

Posted
Posted

http://isc.sans.org/

Well they just posted it here, but I thought I saw this before that was posted :huh:

edit: found it on a blog comments of Sunbelts site.

Ah well me and a friend are trying to fix it the file it effects with the exploit is SHIMGVW.DLL so I guess unregistering prevents Windows picture and fax viewer from opening it automatically, NOTE you can still download this so it sort of makes it like Firefox level safe for those who use IE.

Grand Master

acedriver

Posted
Posted
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

http://isc.sans.org/

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Microsoft has officially put out a statement check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

http://isc.sans.org/ is the one publishing that momentary fix, however be aware it will break Windows Picture & Fax viewer and Paint and possibly other application whenever they attempt to open a WMF type of file.

Mentor

greg098

Posted
Posted

Here's some screenshots i took of the virus in a virtual machine...Whats strange is, I got this virus about 3 months ago! I eventually got rid of it, after hours of deleting crap...but i kept getting plastered with adverts in internet explorer and firefox, even after I had made sure I had gotten rid of this virus. I eventually wiped my computer as it was beyond a joke. There was nothing in Task Manager, yet I would get about 10 adverts every minute...even flash ones that I couldnt close! yet still nothing in Task Manager.

I really hope a patch is released for this soon, as I do not want to get this virus AGAIN!

post-73728-1135836234_thumb.jpg

post-73728-1135836304_thumb.jpg

Collaborator

Mr. Dick C. Normous

Posted
Posted

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

Thank you Tkyoshi for responding. I am going to create an image of my root drive and give this a try now. I think I am safe but a false sense of security can be worse than being insecure. Right now I am browsing the web with images disabled but I don't really like it LOL. Almost all of my security settings (all but three) are set to the defaults so I am curious what will happen. I will post my finding in about thirty minutes.

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Well this has been interesting to say the least. While in IE the WMF file did nothing (expected). Whether viewing the file or clicking the link nothing happened. Once saved to my hard drive and opening the file in Image viewer the exploit was able to run. I denied BOOT.INX access to the internet and after a reboot almost all was well. The task manager was disabled but that can be fixed via gpedit.msc or the registry. I also found the following registry keys were created.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

and

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

I am not a security professional but these keys look like they allow boot.inx to be accepted by Windows Firewall. So far it looks like a decent firewall and a little knowledge can keep you fairly safe from this. I will try a few more things and post the results.

EDIT: I found something else out. If the file is saved locally DO NOT EVEN HOVER OVER IT!!! Even if its on your desktop without a preview it will allow the exploit to run.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Mentor

tkyoshi

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Awsome info there Mr. Dick C., thanks for sharing!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • EA launches in-game advertising platform for brands to "connect with audiences"

      By LoneWolfSL · Posted

      EA launches in-game advertising platform for brands to "connect with audiences" by Pulasthi Ariyasinghe The gaming giant Electronic Arts is exploring more ways to inject real-life brands into its games. Announced today as EA Advertising, the new platform is attempting to make it easier for brands to reach out for deals with the company and put their products inside titles like EA Sports FC, Madden, NHL, Skate, or The Sims. EA revealed that its EA Sports side of the company brings in "hundreds of millions of players across console, PC, and mobile" every year. Fan engagement of these titles was also touted as being "extraordinary," with 23,000 NFL seasons worth of games being played in Madden NFL daily, while EA Sports FC sees over a billion matches a day. “Players come to EA’s games and live experiences every day to play, watch, create and connect,” said David Tinson, Chief Experiences Officer at Electronic Arts. “That gives brands a meaningful opportunity to show up in ways that add value and respect the player experience, while maintaining authenticity in the worlds our teams are building. With EA Advertising, we’re helping brands become part of those moments in ways that are relevant and built for players.” Using the new program EA Advertising, brands will be able to inject their products into games in real-time via dynamic placement. EA says partners will have access to everything from stadium signage in sports games and targeted adverts to in-game content custom-made for the brands. These are described as additions designed to "enhance, not disrupt" experiences. "In these interactive gameplay environments, brands become part of the game itself, reflecting how players engage with advertising in real-world contexts," adds the company "Brands can activate across live environments, tailoring placements to meet campaign objectives, and update campaigns with ongoing optimization informed by aggregated engagement insights." Current real-world brand partnerships EA has built into its games include Visa (EA Sports FC and College Football), Lowe's (EA Sports FC, Madden NFL, and College Football), Red Bull (EA SPORTS FC), Xfinity and Peacock (EA SPORTS FC), and Mountain Dew’s (College Football).
    • UK to ban under-16s from social media following a six-week trial with teenagers

      By suni08 · Posted

      Will be surprised if there isn't a new ver of youtube just for labelled educational content
    • UK to ban under-16s from social media following a six-week trial with teenagers

      By zikalify · Posted

      UK to ban under-16s from social media following a six-week trial with teenagers by Paul Hill Credit: Pexels A few months ago, Neowin reported that the UK was trialing a social media ban with 300 teenagers for six weeks, that testing has come to an end, and Prime Minister Keir Starmer has announced that the country will ban under-16s from social media. Starmer said that this technology is making children unhappy and making it easier for bullies to harass and abuse them. He continued to talk about the addictive nature of social media, saying that it uses an infinite scroll designed to lock users in for hours. He said this interferes with children doing their homework, reading, playing with friends outside, and going to bed on time. Tackling the idea that nothing can be done about social media, Starmer said: The government’s action won’t stop at social media either, the PM said. It plans to take action on gaming services and livestreaming platforms. Right now, he said, strangers can contact any child unchecked. He said this wouldn’t happen in real life, and the government is going to stop it from happening online, too. The Labour government has overseen the introduction of the Online Safety Act, a big change to the internet which includes age verification on adult websites. This has led to a fair bit of backlash, but overall, the government is pushing ahead with these changes.
    • what other retro software do yall use

      By _neutrino · Posted

      Still using Hexchat every day but i would not consider it Retro 😛
    • HONOR Robot Phone unveils first Cinematic Video at Shanghai International Film Festival

      By Steven P. · Posted

      HONOR Robot Phone unveils first Cinematic Video at Shanghai International Film Festival by Steven Parker Global AI device ecosystem company HONOR announced on June 13 that its revolutionary HONOR Robot Phone made its professional imaging debut at the 28th Shanghai International Film Festival (SIFF), demonstrating the result of its mobile videography capabilities for the first time. As the official mobile photography and videography partner of the 28th Shanghai International Film Festival, HONOR empowers this premier cinematic event with cutting-edge mobile imaging technology. Marking the global debut of the first cinematic video it captured, Robot Phone breaks down the boundaries between mobile imaging and professional filmmaking, ushering in a new paradigm for the deep integration of technology and cinematic art. In the video published on HONOR’s official channel (above), Robot Phone was used byELLEMEN to capture cinematic video portraits for the SIFF jury members. With its exceptional stability and cinema-grade imaging capabilities, the device redefines the art of portrait filmmaking, faithfully reproducing the rich tonal gradations and nuanced color transitions associated with film photography. The result is a new level of visual sophistication, creating high-end cinematic imagery that seamlessly blends atmosphere with narrative tension. The video released for the Robot Phone showcases the powerful stabilization capabilities of its built-in gimbal system, delivering exceptionally smooth handheld camera movement while preserving full image quality. By minimizing reliance on electronic image stabilization, the device effectively avoids the image cropping and quality loss typically associated with digital stabilization methods. Representing an innovative leap in form factor, the HONOR Robot Phone features the industry's smallest titanium alloy gimbal, delivering ultra-precision, extreme flexibility, and superior stability. Driven by high-performance motors, the gimbal rises dynamically, breaking free from the physical limitations of traditional camera modules. Combined with advanced AI algorithms that enable intelligent object tracking and various movements with stable shots, the device significantly simplifies video creation and reshapes both the equipment choices and creative habits of modern users. Notably, the Robot Phone will be the first product that features the results of HONOR's strategic technological partnership with ARRI, the world-renowned designer and manufacturer of professional camera technology for cinematic storytelling. From Cannes to Shanghai, the HONOR Robot Phone continues to lead the mobile imaging industry into an entirely new stage of development. Moving forward, HONOR will leverage cutting-edge AI and mobile imaging technologies to unlock new creative possibilities and extend cinematic standards for visual expression from the world of high-end filmmaking to the next generation of content creators. Learn more about the HONOR Robot Phone here: https://www.honor.com/global/events/honor-robot-phone/

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      510
    2. 2
      +Edouard
      200
    3. 3
      PsYcHoKiLLa
      137
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      84
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!