Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Mentor

madnuke

Posted
Posted

LOL its perfectly safe its off a Security based website, I would'nt be worried, this should proberly go on the main page because of how serious this is and to warn as many people as possible.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Sawyer12 the video above is from a trusted site, it contains nothing, still if you don't want to watch it I can tell you that if you are infected you ll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan, At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

spyware_warning.png

That's what you will see on your system tray too if you are infected.

Mentor

madnuke

Posted
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong. Seems ok with websites this will proberly block WMF/EMF which is good. And the good thing is you can unregister and register the DLL.

http://www.microsoft.com/resources/documen...s/regsvr32.mspx

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong.

Could you elaborate more on that? where did you get that info from? thanks.

Mentor

madnuke

Posted
Posted

http://isc.sans.org/

Well they just posted it here, but I thought I saw this before that was posted :huh:

edit: found it on a blog comments of Sunbelts site.

Ah well me and a friend are trying to fix it the file it effects with the exploit is SHIMGVW.DLL so I guess unregistering prevents Windows picture and fax viewer from opening it automatically, NOTE you can still download this so it sort of makes it like Firefox level safe for those who use IE.

Grand Master

acedriver

Posted
Posted
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

http://isc.sans.org/

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Microsoft has officially put out a statement check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

http://isc.sans.org/ is the one publishing that momentary fix, however be aware it will break Windows Picture & Fax viewer and Paint and possibly other application whenever they attempt to open a WMF type of file.

Mentor

greg098

Posted
Posted

Here's some screenshots i took of the virus in a virtual machine...Whats strange is, I got this virus about 3 months ago! I eventually got rid of it, after hours of deleting crap...but i kept getting plastered with adverts in internet explorer and firefox, even after I had made sure I had gotten rid of this virus. I eventually wiped my computer as it was beyond a joke. There was nothing in Task Manager, yet I would get about 10 adverts every minute...even flash ones that I couldnt close! yet still nothing in Task Manager.

I really hope a patch is released for this soon, as I do not want to get this virus AGAIN!

post-73728-1135836234_thumb.jpg

post-73728-1135836304_thumb.jpg

Collaborator

Mr. Dick C. Normous

Posted
Posted

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

Thank you Tkyoshi for responding. I am going to create an image of my root drive and give this a try now. I think I am safe but a false sense of security can be worse than being insecure. Right now I am browsing the web with images disabled but I don't really like it LOL. Almost all of my security settings (all but three) are set to the defaults so I am curious what will happen. I will post my finding in about thirty minutes.

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Well this has been interesting to say the least. While in IE the WMF file did nothing (expected). Whether viewing the file or clicking the link nothing happened. Once saved to my hard drive and opening the file in Image viewer the exploit was able to run. I denied BOOT.INX access to the internet and after a reboot almost all was well. The task manager was disabled but that can be fixed via gpedit.msc or the registry. I also found the following registry keys were created.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

and

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

I am not a security professional but these keys look like they allow boot.inx to be accepted by Windows Firewall. So far it looks like a decent firewall and a little knowledge can keep you fairly safe from this. I will try a few more things and post the results.

EDIT: I found something else out. If the file is saved locally DO NOT EVEN HOVER OVER IT!!! Even if its on your desktop without a preview it will allow the exploit to run.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Mentor

tkyoshi

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Awsome info there Mr. Dick C., thanks for sharing!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Linux 7.1 arrives with an NTFS overhaul and major hardware performance boosts

      By zikalify · Posted

      Linux 7.1 arrives with an NTFS overhaul and major hardware performance boosts by Paul Hill The founder of the Linux kernel has just announced the availability of Linux 7.1. This is a stable version of the kernel that will now be tested by various Linux distributions before it is shipped to users through update managers. Some users, like those on Debian, for example, might not get it for a long time, if at all, while Fedora users can expect it in the near future. With Linux 7.1 out on time, the merge window for Linux 7.2 is now open, giving contributors the opportunity to send in major new features that have been waiting for the last two months. Torvalds warned that he is currently travelling and will be in another timezone, so timing for the merge window may be irregular due to timezone differences and limited internet access. Torvalds said that he has already fetched early pull requests to allow him to do some offline work, but the travel could still cause disruption. Right now, he is not planning to extend the release, but did consider it. He said he might later regret not extending, though. In terms of this last week of development for Linux 7.1, Torvalds said there were no major or alarming changes. This week consisted mostly of smaller driver updates to GPU, networking, and sound, networking fixes, trace tooling fixes, and misc minor fixes. The shortlog this week lists fixes for driver bugs, memory leaks, I/O and USB fixes, networking and RDMA fixes, DRM/graphics fixes, and tooling and verification improvements. Specific fixes include USB series heap-overflow and buffer overflow fixes, and multiple use-after-free, memory-leak, and refcount corrections across subsystems such as i2c, zram, gpio, and net. There are fixes for graphics drivers, including amdgpu, i915, and virtio, as well as hypervisor and virtualization tweaks affecting mshv, vmbus, and hyperv. According to Phoronix, anyone running Linux 7.1 should look out for the new NTFS driver, Intel FRED for improved performance on Panther Lake and future CPUs, faster graphics with Intel Arc Battlemage, and improvements for older AMD Radeon GPUs. If you are running Linux on your computer and everything is fine, then you don’t need to worry about updating to Linux 7.1 as a priority; just wait for it to be pushed to you. If you have tried Linux on hardware but it didn’t work properly, trying again with a distro that uses Linux 7.1 could cause Linux to work on your machine, thanks to the new hardware support.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By contevo · Posted

      you can also do this with this tool: PowerSettingsExplorer made by mbk1969 at 3dguru forum.. I found it by accident researching on modern standby and annoying quirks of it in 2022
    • AB Download Manager 1.9.1

      By Copernic · Posted

      AB Download Manager 1.9.1 by Razvan Serea AB Download Manager is an open-source, feature-rich download manager designed to accelerate downloads, organize files efficiently, and provide seamless control over downloads. With support for multiple connections, resume capability, and an intuitive interface, it enhances the downloading experience for users seeking speed and reliability. The software integrates with various browsers, enabling quick link grabbing and batch downloading. It supports HTTP, HTTPS, and FTP protocols, ensuring broad compatibility with different file sources. Users can schedule downloads, set speed limits, and categorize files automatically for better organization. AB Download Manager is lightweight yet powerful, making it a great alternative to proprietary download managers. Its open-source nature allows developers to contribute, customize, and improve the software as needed. Whether you're downloading large files, managing multiple downloads at once, or seeking an ad-free experience, this tool offers a practical and efficient solution. Key features of AB Download Manager: Multi-Connection Support – Accelerates downloads by splitting files into multiple segments. Resume Capability – Allows paused or interrupted downloads to be resumed without starting over. Batch Downloading – Supports downloading multiple files at once for improved efficiency. Browser Integration – Captures download links directly from browsers for seamless operation. HTTP, HTTPS, and FTP Support – Ensures compatibility with a wide range of file sources. Download Scheduling – Enables users to automate downloads at specific times. Speed Limiting – Lets users control bandwidth usage for optimized performance. File Categorization – Automatically organizes downloaded files into designated folders. User-Friendly Interface – Simple and intuitive design for easy navigation. Cross-Platform Compatibility – Works on multiple operating systems. Ad-Free Experience – No intrusive ads or tracking for a clean user experience. AB Download Manager 1.9.1 changelog: Added An option to customize notification sounds (#1259) Fixed Ongoing notification was laggy on Samsung One UI devices (#1269) Improved Updated Translations Minor UI/UX improvements Download: AB Download Manager 1.9.1 | Portable | ~80.0 MB (Open Source) Download: ARM64 | Portable ARM64 | Android Links: AB Download Manager Website | Github Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Louis Rossmann suing Samsung over "990 Pro SSD warranty scam"

      By WITHOUT-ME · Posted

      watching him because of the Mr Klinton cat
    • Can't access the forum on mobile

      By WITHOUT-ME · Posted

      yup dude, ADS on this website are terrible

  • Recent Achievements

    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      506
    2. 2
      +Edouard
      196
    3. 3
      PsYcHoKiLLa
      140
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      81
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!