Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

Typing the command to stop the vulnerability while Microsoft puts out a patch will NOT totally break Windows Picture & Fax viewer or paint, it will just make it so those applications cannot open WMF files. and still there's a command to enable them back at any time.

And for those who cannot fix the wallpaper issue after getting rid of the virus, read my post Here

Grand Master

Farstrider

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Someone else has asked how this can be free? My business does these sorts of repairs and I charge in the region of $50.00 an hour for any work of this nature and if any software is required I have to charge for it! I am a Microsoft Partner as well as an Eset Partner and these programs are NOT FREE! The only free product that you mentioned is CrapCleaner! I also doubt that you have removed all the problems! So as regards the last part of what you wrote, clients WILL pay, for sure!

Mentor

tkyoshi

Posted
Posted (edited)

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?

Yes it does, the exploit will apparently be blocked if your CPU has DEP. You must however make sure it's on for everything and not just "essential services" (default).

You can also enable software DEP if your computer doesn't have a CPU that supports it in hardware but i don't know if software DEP will prevent this.

Edited by tkyoshi
Mentor

tkyoshi

Posted
Posted

post-25252-1135902700_thumb.jpg

so as long as that option is set, I'm okay?

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

Grand Master

canadian397

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

okay, can anyone confirm this? :unsure:

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

ya thanx for the video that was very informative

I saw that red button on 2 computers, the only way to get rid of it was to kill exporer.exe and then delete the .dll file in the system32 folder, this little bugger even runs in safe mode.

Mentor

struct

Posted
Posted

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

just got this too :( gonna reboot in a sec see if that fixes it

Proficient

er0n

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

I don't see any difference between your DEP menu and his :wacko:

Edit: Ok I see it

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

http://grc.com/sn/notes-020.htm

Steve Gibson has a temporary solution. I trust this man.

This fix has been posted on this topic a few times already. Another way to avoid the exploit is to enable DEP. Software DEP alone will prevent it in Windows Server 2003 at least.

Does anyone know why I can't infect a fresh install of XpSp2 in VmWare? No settings have been changed nor have any programs or updates been installed. I'm trying to trace all the changes this thing makes but I want to do it in VmWare so I can continue working on something else.

Edited by Mr. Dick C. Normous
Mentor

tkyoshi

Posted
Posted

okay, can anyone confirm this? :unsure:

Microsoft has confirmed it now:

I have DEP enabled on my system, does this help mitigate the vulnerability?

Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

Mentor

greg098

Posted
Posted

After being infected by this virus in my virtual machine, windows live messenger doesnt work. Maybe it broke it? It opens and I sign in, but then it breaks and tells me to send an error report.

Also, on Microsoft's report, it tells users to use Microsoft Anti-Spyware to keep their system protected. I done a scan with it and it didnt even get rid of it. Infact is told me that my default home page was C:/secure.html lol which in fact was not my original homepage at all.

Mentor

madnuke

Posted
Posted

Well everyone is going to be back to work tomorow or so it seems, school starts this week, people going back to uni, this is when the problems will start. Unpatched machines with people with no more little computer knowledge than opening up word, they wont know what a DLL file is. This thing is using emails, IM, P2P and websites that takes about every way to get infected, the one thing I know is as soon as a fix comes out I'm going to burn a few cds for the influx which will be at work.

Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

1) Firefox 1.0 was released a little over ONE year ago

2) You can still become infected using Firefox, you just have to download the file first

I use Firefox and I do loathe IE, just don't spread FUD, dude.

Apprentice

Havin_it

Posted
Posted

QUESTION: What is the situation with Win9x?

This has been largely ignored as people fret over WinNT and family, but let's not forget there are plenty folk out there running Win 95/98/ME, and I can see virtually no advice for them.

This concerns me as I have one 98SE and two ME users in my immediate circle. (My mum has Win95 but no Internet lol) My warnings of doom are a little empty if I can't give them any concrete information besides "use Firefox and, umm, y'know, just be careful..." These are not the most geeky people, either.

What system files do we need to look at with these OSes? Are there DLLs to be unregistered? Is GDI+ the same on these OSes? I think we must be told!

The only mention I've found about these OSes (apart from in the MS advisory) is from the ISC diary, http://isc.sans.org/diary.php?storyid=994

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.

Not exactly very helpful...!

Anyhoo, I guess the next 24 hours will be very telling. Why the hell is this not getting more press?!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Samsung is shutting down yet another app used by millions

      By Elliot B. · Posted

      "Samsung is shutting down yet another app used by millions" I will fix the clickbait title for you, free-of-charge: "Samsung shutting down it's Max VPN app"
    • Microsoft brings Planner Agent to all Microsoft 365 Copilot users

      By Ivan Jenic · Posted

      Microsoft brings Planner Agent to all Microsoft 365 Copilot users by Ivan Jenic Image: Microsoft Microsoft has announced that Planner Agent in Microsoft 365 Copilot is now generally available to all users with a Microsoft 365 Copilot license. Planner Agent is the latest addition in the string of AI features that Microsoft is implementing across virtually all of its products. The agent lets you manage tasks through natural language prompts directly inside Microsoft 365 Copilot. You can create and update tasks, check priorities, and get insights about current entries without leaving the chat interface. The general availability release comes with a handful of new additions on top of what was available during the initial rollout. A new plan picker lets you search and filter your plans by name, then update task names, statuses, due dates, or priorities through the agent. There's also a goals bucket now, which lets you group tasks under specific goals. This builds on the Goals view, a feature that was introduced as part of the broader Planner refresh that rolled out earlier. Image: Microsoft | Planner Agent in Microsoft 365 Copilot All AI-generated plans and tasks are created in draft mode by default, so you can review and approve changes before anything goes through. This is actually a thoughtful safety feature, because trusting AI to handle all your tasks without a human in the loop is usually a recipe for disaster. Having tasks initially saved as drafts is the best possible middle ground. Microsoft also says that not all tasks are executed equally. Simple tasks get processed quickly, while more complex ones, like building a plan from a Word, Excel, or PowerPoint file, are handed to a more capable model. Microsoft says this approach delivers the best performance, but it could also help with usage management, as you won't have to waste tokens on performing simple tasks. Planner Agent is available now across Teams, Loop, SharePoint, and other Microsoft 365 apps for anyone on a Microsoft 365 Copilot subscription.
    • EA Sports UFC 6 review: Brutal, satisfying, and surprisingly accessible to newcomers

      By ryansurfer98 · Posted

      To be clear I'm anti trump, the bigger point is why review this game at all?
    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By ryansurfer98 · Posted

      Trillion dollar Microsoft has to reduce spending by hurting more people. Good job Microsoft. Good Job Asha.
    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By Geezy · Posted

      That's a shame. The big Xbox reset when Phil and Sarah left and then Asha came on and brought a new team of executives, and all the layoffs last year and saying that the ABK merger wouldn't result in redundancies I am surprised they are calling for yet another reset and yet more layoffs.

  • Recent Achievements

    • First Post
      Cosminus earned a badge
      First Post
    • One Year In
      ThatGuyOnline earned a badge
      One Year In
    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      500
    2. 2
      +Edouard
      194
    3. 3
      PsYcHoKiLLa
      125
    4. 4
      Steven P.
      87
    5. 5
      neufuse
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!