Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Mentor

madnuke

Posted
Posted

LOL its perfectly safe its off a Security based website, I would'nt be worried, this should proberly go on the main page because of how serious this is and to warn as many people as possible.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Sawyer12 the video above is from a trusted site, it contains nothing, still if you don't want to watch it I can tell you that if you are infected you ll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan, At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

spyware_warning.png

That's what you will see on your system tray too if you are infected.

Mentor

madnuke

Posted
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong. Seems ok with websites this will proberly block WMF/EMF which is good. And the good thing is you can unregister and register the DLL.

http://www.microsoft.com/resources/documen...s/regsvr32.mspx

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong.

Could you elaborate more on that? where did you get that info from? thanks.

Mentor

madnuke

Posted
Posted

http://isc.sans.org/

Well they just posted it here, but I thought I saw this before that was posted :huh:

edit: found it on a blog comments of Sunbelts site.

Ah well me and a friend are trying to fix it the file it effects with the exploit is SHIMGVW.DLL so I guess unregistering prevents Windows picture and fax viewer from opening it automatically, NOTE you can still download this so it sort of makes it like Firefox level safe for those who use IE.

Grand Master

acedriver

Posted
Posted
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

http://isc.sans.org/

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Microsoft has officially put out a statement check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

http://isc.sans.org/ is the one publishing that momentary fix, however be aware it will break Windows Picture & Fax viewer and Paint and possibly other application whenever they attempt to open a WMF type of file.

Mentor

greg098

Posted
Posted

Here's some screenshots i took of the virus in a virtual machine...Whats strange is, I got this virus about 3 months ago! I eventually got rid of it, after hours of deleting crap...but i kept getting plastered with adverts in internet explorer and firefox, even after I had made sure I had gotten rid of this virus. I eventually wiped my computer as it was beyond a joke. There was nothing in Task Manager, yet I would get about 10 adverts every minute...even flash ones that I couldnt close! yet still nothing in Task Manager.

I really hope a patch is released for this soon, as I do not want to get this virus AGAIN!

post-73728-1135836234_thumb.jpg

post-73728-1135836304_thumb.jpg

Collaborator

Mr. Dick C. Normous

Posted
Posted

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

Thank you Tkyoshi for responding. I am going to create an image of my root drive and give this a try now. I think I am safe but a false sense of security can be worse than being insecure. Right now I am browsing the web with images disabled but I don't really like it LOL. Almost all of my security settings (all but three) are set to the defaults so I am curious what will happen. I will post my finding in about thirty minutes.

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Well this has been interesting to say the least. While in IE the WMF file did nothing (expected). Whether viewing the file or clicking the link nothing happened. Once saved to my hard drive and opening the file in Image viewer the exploit was able to run. I denied BOOT.INX access to the internet and after a reboot almost all was well. The task manager was disabled but that can be fixed via gpedit.msc or the registry. I also found the following registry keys were created.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

and

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

I am not a security professional but these keys look like they allow boot.inx to be accepted by Windows Firewall. So far it looks like a decent firewall and a little knowledge can keep you fairly safe from this. I will try a few more things and post the results.

EDIT: I found something else out. If the file is saved locally DO NOT EVEN HOVER OVER IT!!! Even if its on your desktop without a preview it will allow the exploit to run.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Mentor

tkyoshi

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Awsome info there Mr. Dick C., thanks for sharing!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Win11Debloat 2026.06.14

      By Copernic · Posted

      Win11Debloat 2026.06.14 by Razvan Serea Win11Debloat is a lightweight, easy to use PowerShell script that allows you to quickly declutter and customize your Windows experience. It can remove pre-installed bloatware apps, disable telemetry, remove intrusive interface elements and much more. The script also includes many features that system administrators and power users will enjoy. Such as a powerful command-line interface, support for Windows Audit mode and the option to make changes to other Windows users. All changes made by Win11Debloat can be easily reversed, and most removed apps can be restored via the Microsoft Store. A full guide on how to undo the changes is available here. Win11Debloat features: Below is an overview of the key features and functionality offered by Win11Debloat. Please refer to the wiki for more information about the default settings preset. Remove a wide variety of preinstalled apps. Click here for more info. Disable telemetry, diagnostic data, activity history, app-launch tracking & targeted ads. Disable tips, tricks, suggestions & ads across Windows. Disable Windows location services & app location access. Disable Find My Device location tracking. Disable 'Windows Spotlight' and tips & tricks on the lock screen. Disable 'Windows Spotlight' desktop background option. Disable ads, suggestions and the MSN news feed in Microsoft Edge. Hide Microsoft 365 ads on the Settings 'Home' page, or hide the 'Home' page entirely. Disable & remove Microsoft Copilot. Disable Windows Recall. Disable Click to Do, AI text & image analysis tool. Prevent AI service (WSAIFabricSvc) from starting automatically. Disable AI Features in Edge. Disable AI Features in Paint. Disable AI Features in Notepad. Disable the Drag Tray for sharing & moving files. Restore the old Windows 10 style context menu. Turn off Enhance Pointer Precision, also known as mouse acceleration. Disable the Sticky Keys keyboard shortcut. Disable Storage Sense automatic disk cleanup. Disable fast start-up to ensure a full shutdown. ...and more. Once you’ve downloaded the Win11Debloat file (Get.ps1), just follow these quick steps: Locate the Get.ps1 script file. Right-click the file and select Run with PowerShell from the context menu. If prompted by User Account Control (UAC), select Yes to grant the script the necessary administrative permissions. Win11Debloat 2026.06.14 changes: This is a minor release that hopefully addresses the false positives in Windows Defender and Bitdefender that prevented users from downloading and/or running Win11Debloat. Refactor Get-RegFileOperations.ps1 to address false positives by @Raphire in #626 Add logging around WinGet app retrieval and increase timeout to 20s by @Raphire Download: Win11Debloat 2026.06.14 | Open Source View: Win11Debloat Home Page | Screenshots 1| 2 Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • what other retro software do yall use

      By C:Amie · Posted

      Still using Microsoft Money 2005 in 2026 here!
    • what other retro software do yall use

      By +Eternal Tempest · Posted

      I have a couple to mention, and they still run great on Windows 11 Adobe Lightroom Version 2 Alcohol 120% CLZ Book, Comic, Game, Movie, & Music Collector (PC - No longer sold / Grandfathered in - now mobile apps/online only) DVDDecrypter ISO Buster Pro version 1.9.1 (Still supports HD-DVD too) Nero Burning Rom 8 (Only the burning software, no backup, media converter, etc)   OpenAL (Runtime) - GuildWars 1 Reforged still uses it for 3d headphone audio PowerDVD 12 Ultra SPTD (SCSI Pass through Direct Driver) UltraISO Windows Media Encoder 9 WinImage You can tell I still sport an optical drive    
    • Linux 7.1 arrives with an NTFS overhaul and major hardware performance boosts

      By zikalify · Posted

      Linux 7.1 arrives with an NTFS overhaul and major hardware performance boosts by Paul Hill The founder of the Linux kernel has just announced the availability of Linux 7.1. This is a stable version of the kernel that will now be tested by various Linux distributions before it is shipped to users through update managers. Some users, like those on Debian, for example, might not get it for a long time, if at all, while Fedora users can expect it in the near future. With Linux 7.1 out on time, the merge window for Linux 7.2 is now open, giving contributors the opportunity to send in major new features that have been waiting for the last two months. Torvalds warned that he is currently travelling and will be in another timezone, so timing for the merge window may be irregular due to timezone differences and limited internet access. Torvalds said that he has already fetched early pull requests to allow him to do some offline work, but the travel could still cause disruption. Right now, he is not planning to extend the release, but did consider it. He said he might later regret not extending, though. In terms of this last week of development for Linux 7.1, Torvalds said there were no major or alarming changes. This week consisted mostly of smaller driver updates to GPU, networking, and sound, networking fixes, trace tooling fixes, and misc minor fixes. The shortlog this week lists fixes for driver bugs, memory leaks, I/O and USB fixes, networking and RDMA fixes, DRM/graphics fixes, and tooling and verification improvements. Specific fixes include USB series heap-overflow and buffer overflow fixes, and multiple use-after-free, memory-leak, and refcount corrections across subsystems such as i2c, zram, gpio, and net. There are fixes for graphics drivers, including amdgpu, i915, and virtio, as well as hypervisor and virtualization tweaks affecting mshv, vmbus, and hyperv. According to Phoronix, anyone running Linux 7.1 should look out for the new NTFS driver, Intel FRED for improved performance on Panther Lake and future CPUs, faster graphics with Intel Arc Battlemage, and improvements for older AMD Radeon GPUs. If you are running Linux on your computer and everything is fine, then you don’t need to worry about updating to Linux 7.1 as a priority; just wait for it to be pushed to you. If you have tried Linux on hardware but it didn’t work properly, trying again with a distro that uses Linux 7.1 could cause Linux to work on your machine, thanks to the new hardware support.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By contevo · Posted

      you can also do this with this tool: PowerSettingsExplorer made by mbk1969 at 3dguru forum.. I found it by accident researching on modern standby and annoying quirks of it in 2022

  • Recent Achievements

    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      507
    2. 2
      +Edouard
      197
    3. 3
      PsYcHoKiLLa
      139
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      81
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!