Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

Typing the command to stop the vulnerability while Microsoft puts out a patch will NOT totally break Windows Picture & Fax viewer or paint, it will just make it so those applications cannot open WMF files. and still there's a command to enable them back at any time.

And for those who cannot fix the wallpaper issue after getting rid of the virus, read my post Here

Grand Master

Farstrider

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Someone else has asked how this can be free? My business does these sorts of repairs and I charge in the region of $50.00 an hour for any work of this nature and if any software is required I have to charge for it! I am a Microsoft Partner as well as an Eset Partner and these programs are NOT FREE! The only free product that you mentioned is CrapCleaner! I also doubt that you have removed all the problems! So as regards the last part of what you wrote, clients WILL pay, for sure!

Mentor

tkyoshi

Posted
Posted (edited)

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?

Yes it does, the exploit will apparently be blocked if your CPU has DEP. You must however make sure it's on for everything and not just "essential services" (default).

You can also enable software DEP if your computer doesn't have a CPU that supports it in hardware but i don't know if software DEP will prevent this.

Edited by tkyoshi
Mentor

tkyoshi

Posted
Posted

post-25252-1135902700_thumb.jpg

so as long as that option is set, I'm okay?

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

Grand Master

canadian397

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

okay, can anyone confirm this? :unsure:

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

ya thanx for the video that was very informative

I saw that red button on 2 computers, the only way to get rid of it was to kill exporer.exe and then delete the .dll file in the system32 folder, this little bugger even runs in safe mode.

Mentor

struct

Posted
Posted

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

just got this too :( gonna reboot in a sec see if that fixes it

Proficient

er0n

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

I don't see any difference between your DEP menu and his :wacko:

Edit: Ok I see it

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

http://grc.com/sn/notes-020.htm

Steve Gibson has a temporary solution. I trust this man.

This fix has been posted on this topic a few times already. Another way to avoid the exploit is to enable DEP. Software DEP alone will prevent it in Windows Server 2003 at least.

Does anyone know why I can't infect a fresh install of XpSp2 in VmWare? No settings have been changed nor have any programs or updates been installed. I'm trying to trace all the changes this thing makes but I want to do it in VmWare so I can continue working on something else.

Edited by Mr. Dick C. Normous
Mentor

tkyoshi

Posted
Posted

okay, can anyone confirm this? :unsure:

Microsoft has confirmed it now:

I have DEP enabled on my system, does this help mitigate the vulnerability?

Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

Mentor

greg098

Posted
Posted

After being infected by this virus in my virtual machine, windows live messenger doesnt work. Maybe it broke it? It opens and I sign in, but then it breaks and tells me to send an error report.

Also, on Microsoft's report, it tells users to use Microsoft Anti-Spyware to keep their system protected. I done a scan with it and it didnt even get rid of it. Infact is told me that my default home page was C:/secure.html lol which in fact was not my original homepage at all.

Mentor

madnuke

Posted
Posted

Well everyone is going to be back to work tomorow or so it seems, school starts this week, people going back to uni, this is when the problems will start. Unpatched machines with people with no more little computer knowledge than opening up word, they wont know what a DLL file is. This thing is using emails, IM, P2P and websites that takes about every way to get infected, the one thing I know is as soon as a fix comes out I'm going to burn a few cds for the influx which will be at work.

Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

1) Firefox 1.0 was released a little over ONE year ago

2) You can still become infected using Firefox, you just have to download the file first

I use Firefox and I do loathe IE, just don't spread FUD, dude.

Apprentice

Havin_it

Posted
Posted

QUESTION: What is the situation with Win9x?

This has been largely ignored as people fret over WinNT and family, but let's not forget there are plenty folk out there running Win 95/98/ME, and I can see virtually no advice for them.

This concerns me as I have one 98SE and two ME users in my immediate circle. (My mum has Win95 but no Internet lol) My warnings of doom are a little empty if I can't give them any concrete information besides "use Firefox and, umm, y'know, just be careful..." These are not the most geeky people, either.

What system files do we need to look at with these OSes? Are there DLLs to be unregistered? Is GDI+ the same on these OSes? I think we must be told!

The only mention I've found about these OSes (apart from in the MS advisory) is from the ISC diary, http://isc.sans.org/diary.php?storyid=994

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.

Not exactly very helpful...!

Anyhoo, I guess the next 24 hours will be very telling. Why the hell is this not getting more press?!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By duhk · Posted

      hey buddy, i don't appreciate the attitude. Can't wait to see the results.
    • Politically funny images of the World

      By +primortal · Posted

    • Marshall Major V Bluetooth headphones are now up to 47% off on Amazon

      By Ivan Jenic · Posted

      Marshall Major V Bluetooth headphones are now up to 47% off on Amazon by Ivan Jenic The Marshall Major V in Midnight Blue is currently $89.99 on Amazon, down from $169.99. That's 47% off and $80 saved on a pair of wireless on-ear headphones from one of the most recognizable names in audio. The Major V is Marshall's take on a long-lasting everyday headphone. The headphones deliver 100+ hours of wireless playtime, which puts them in a completely different category from most Bluetooth headphones that hover around 30-40 hours. You’re charging this thing once a week at most, and with wireless charging supported, you don’t have to worry about additional cables. Marshall promises its signature sound profile, with strong bass, smooth mids, and clear highs. There’s a customizable M-button, which you can set to quickly access Spotify Tap, your EQ settings, or a voice assistant. The design is foldable and lightweight at 186 grams, so it’s easy to pack for travel. And finally, the faux leather finish gives the Major V a sleek, premium look. At $89.99, the Major V Midnight Blue is a genuinely strong buy for anyone who wants a reliable daily headphone without paying premium prices. It’s also worth mentioning that the Cream and Brown variants are also discounted to $89.99, though from a lower original price of $99.99. Marshall Major V Midnight Blue - $89.99 | 47% off on Amazon This Amazon deal is US-specific and not available in other regions unless specified. This is a first-party seller link (at the time of article publishing); ensure that you also purchase from a first-party seller link only. If you don't like it or want to look at more options, check out the previous deals that we have covered, OR you can also visit Amazon US deals page. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • what other retro software do yall use

      By C:Amie · Posted

      +1 on XVI. I still use it. 
    • UK to ban under-16s from social media following a six-week trial with teenagers

      By Skyfrog · Posted

      Age 16, old enough to get a full-time job, your own bank account, a passport, get married, even join the military and go to war. But talking to your friends on the internet? Oh hell no!

  • Recent Achievements

    • Reacting Well
      Almohandis earned a badge
      Reacting Well
    • First Post
      Cosminus earned a badge
      First Post
    • One Year In
      ThatGuyOnline earned a badge
      One Year In
    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      482
    2. 2
      +Edouard
      185
    3. 3
      PsYcHoKiLLa
      122
    4. 4
      Steven P.
      84
    5. 5
      neufuse
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!