Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

Typing the command to stop the vulnerability while Microsoft puts out a patch will NOT totally break Windows Picture & Fax viewer or paint, it will just make it so those applications cannot open WMF files. and still there's a command to enable them back at any time.

And for those who cannot fix the wallpaper issue after getting rid of the virus, read my post Here

Grand Master

Farstrider

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Someone else has asked how this can be free? My business does these sorts of repairs and I charge in the region of $50.00 an hour for any work of this nature and if any software is required I have to charge for it! I am a Microsoft Partner as well as an Eset Partner and these programs are NOT FREE! The only free product that you mentioned is CrapCleaner! I also doubt that you have removed all the problems! So as regards the last part of what you wrote, clients WILL pay, for sure!

Mentor

tkyoshi

Posted
Posted (edited)

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?

Yes it does, the exploit will apparently be blocked if your CPU has DEP. You must however make sure it's on for everything and not just "essential services" (default).

You can also enable software DEP if your computer doesn't have a CPU that supports it in hardware but i don't know if software DEP will prevent this.

Edited by tkyoshi
Mentor

tkyoshi

Posted
Posted

post-25252-1135902700_thumb.jpg

so as long as that option is set, I'm okay?

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

Grand Master

canadian397

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

okay, can anyone confirm this? :unsure:

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

ya thanx for the video that was very informative

I saw that red button on 2 computers, the only way to get rid of it was to kill exporer.exe and then delete the .dll file in the system32 folder, this little bugger even runs in safe mode.

Mentor

struct

Posted
Posted

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

just got this too :( gonna reboot in a sec see if that fixes it

Proficient

er0n

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

I don't see any difference between your DEP menu and his :wacko:

Edit: Ok I see it

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

http://grc.com/sn/notes-020.htm

Steve Gibson has a temporary solution. I trust this man.

This fix has been posted on this topic a few times already. Another way to avoid the exploit is to enable DEP. Software DEP alone will prevent it in Windows Server 2003 at least.

Does anyone know why I can't infect a fresh install of XpSp2 in VmWare? No settings have been changed nor have any programs or updates been installed. I'm trying to trace all the changes this thing makes but I want to do it in VmWare so I can continue working on something else.

Edited by Mr. Dick C. Normous
Mentor

tkyoshi

Posted
Posted

okay, can anyone confirm this? :unsure:

Microsoft has confirmed it now:

I have DEP enabled on my system, does this help mitigate the vulnerability?

Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

Mentor

greg098

Posted
Posted

After being infected by this virus in my virtual machine, windows live messenger doesnt work. Maybe it broke it? It opens and I sign in, but then it breaks and tells me to send an error report.

Also, on Microsoft's report, it tells users to use Microsoft Anti-Spyware to keep their system protected. I done a scan with it and it didnt even get rid of it. Infact is told me that my default home page was C:/secure.html lol which in fact was not my original homepage at all.

Mentor

madnuke

Posted
Posted

Well everyone is going to be back to work tomorow or so it seems, school starts this week, people going back to uni, this is when the problems will start. Unpatched machines with people with no more little computer knowledge than opening up word, they wont know what a DLL file is. This thing is using emails, IM, P2P and websites that takes about every way to get infected, the one thing I know is as soon as a fix comes out I'm going to burn a few cds for the influx which will be at work.

Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

1) Firefox 1.0 was released a little over ONE year ago

2) You can still become infected using Firefox, you just have to download the file first

I use Firefox and I do loathe IE, just don't spread FUD, dude.

Apprentice

Havin_it

Posted
Posted

QUESTION: What is the situation with Win9x?

This has been largely ignored as people fret over WinNT and family, but let's not forget there are plenty folk out there running Win 95/98/ME, and I can see virtually no advice for them.

This concerns me as I have one 98SE and two ME users in my immediate circle. (My mum has Win95 but no Internet lol) My warnings of doom are a little empty if I can't give them any concrete information besides "use Firefox and, umm, y'know, just be careful..." These are not the most geeky people, either.

What system files do we need to look at with these OSes? Are there DLLs to be unregistered? Is GDI+ the same on these OSes? I think we must be told!

The only mention I've found about these OSes (apart from in the MS advisory) is from the ISC diary, http://isc.sans.org/diary.php?storyid=994

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.

Not exactly very helpful...!

Anyhoo, I guess the next 24 hours will be very telling. Why the hell is this not getting more press?!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Politically funny images of the World

      By +primortal · Posted

    • EA launches in-game advertising platform for brands to "connect with audiences"

      By fingletmein · Posted

      "to in-game content custom-made for the brands" Which EA will turn around and charge customers extra for in an attempt to double dip.
    • EA launches in-game advertising platform for brands to "connect with audiences"

      By SidVicious · Posted

      Disgusting.
    • NirLauncher 1.30.24

      By Copernic · Posted

      NirLauncher 1.30.24 by Razvan Serea NirLauncher is a suite of more than 200 of NirSoft's excellent portable freeware Windows utilities, and provides an interface that makes it easy to find and launch the tools you need. Which works for us - because there's something here for everyone. Have you forgotten a password stored in your browser or email client, for instance? Recovery tools here may be able to find them for you. Maybe you'd like to check your hard drive health? A disk tool will display its S.M.A.R.T. data (if the drive supports this), so you can view read/ write errors, temperature and other useful details. Is your system unstable? The System Utilities section includes several tools that can help to explain why your PC might be crashing. And there are a host of other programs on offer in categories like "Network Monitoring", "Web Browser Tools", "Video/ Audio Related Utilities", "Outlook/ Office Utilities" and more. Please note, perhaps because a few of these tools can be used maliciously (the password revealers, say), some antivirus programs will flag them as threats. We've never had a problem with any NirSoft tool, though, and you can read more on this issue at the author's site. NirLauncher is an excellent set of free tools, and a must-have for everyone's portable troubleshooting toolkit. NirLauncher Features: NirLauncher can be used from USB flash drive without need of any installation. NirLauncher and all the utilities in the package are completely freeware, without any Spyware/Adware/Malware. This package doesn't contain any 3-party software, toolbars, Web browser plugins, or other unwanted surprises. It will not install any software on your system and it will not change your Web browser homepage or other settings on your system. NirLauncher package includes variety of tools that you may need for your daily computer use, including utilities to recover lost passwords, to monitor your network, to view and extract cookies, cache, and other information stored by your Web browser, to search files in your system, and more... For every utility in the package, you can easily run it, view the help file, or jump to the Web page of the utility. When using it from USB flash drive, the configuration of every utility is saved into .cfg file on the flash drive. On x64 systems, NirLauncher automatically run the x64 version of the utility, when there is a separated x64 version. NirLauncher also allows to add more software packages in additional to the main NirSoft package. NirLauncher allows you generate plugin files for BartPE (Launcher -> Generate BartPE Plugin Files), so you can easily use the utilities of NirSoft from a bootable live windows CD. Additional packages (Piriform, SysInternals...) and instructions are available on the Nirlauncher download page. Note: This zip file below is password-protected. The password for extracting the files is nirsoft9876$ Download: NirLauncher 1.30.24 | 39.8 MB (Freeware) Link: NirLauncher Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By MikeK13 · Posted

      What people who support this position of LibreOffice do not understand is that EuroOffice is not made to appease the open source enthusiasts (I am also one) and evangelists. EuroOffice was made because some European companies wanted independence from Microsoft Office Suite, which is something installable on your computer. This move to independence was pushed by public institutions and governments in Europe, as well. Using a proprietary FORMAT as default, does not make you dependent on MS. The actual program does. A format can be changed with a simple update in the future in a dystopian world where MS would manipulate the format to lock others out. However, using MS Office proprietary format, guarantees that all the current documents used by companies, organizations, institutions, etc, will be compatible with EuroOffice and the suite will have the best chances at adoption, especially by slow moving organizations like governments and the public sector. It is as simple as that. For the same reason, even the UI is incredibly similar to MS Office. For the same reason (adoption) the choice was made to be open source. Not because EU particularly loves open source ideologically, but because it gives the best starting point to create trust in the project and amass developers and contributions to the project quickly, to catch up with proprietary projects like MS Office. I don't understand how people don't realize it.

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      512
    2. 2
      +Edouard
      205
    3. 3
      PsYcHoKiLLa
      136
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      85
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!