Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

Typing the command to stop the vulnerability while Microsoft puts out a patch will NOT totally break Windows Picture & Fax viewer or paint, it will just make it so those applications cannot open WMF files. and still there's a command to enable them back at any time.

And for those who cannot fix the wallpaper issue after getting rid of the virus, read my post Here

Grand Master

Farstrider

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Someone else has asked how this can be free? My business does these sorts of repairs and I charge in the region of $50.00 an hour for any work of this nature and if any software is required I have to charge for it! I am a Microsoft Partner as well as an Eset Partner and these programs are NOT FREE! The only free product that you mentioned is CrapCleaner! I also doubt that you have removed all the problems! So as regards the last part of what you wrote, clients WILL pay, for sure!

Mentor

tkyoshi

Posted
Posted (edited)

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?

Yes it does, the exploit will apparently be blocked if your CPU has DEP. You must however make sure it's on for everything and not just "essential services" (default).

You can also enable software DEP if your computer doesn't have a CPU that supports it in hardware but i don't know if software DEP will prevent this.

Edited by tkyoshi
Mentor

tkyoshi

Posted
Posted

post-25252-1135902700_thumb.jpg

so as long as that option is set, I'm okay?

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

Grand Master

canadian397

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

okay, can anyone confirm this? :unsure:

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

ya thanx for the video that was very informative

I saw that red button on 2 computers, the only way to get rid of it was to kill exporer.exe and then delete the .dll file in the system32 folder, this little bugger even runs in safe mode.

Mentor

struct

Posted
Posted

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

just got this too :( gonna reboot in a sec see if that fixes it

Proficient

er0n

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

I don't see any difference between your DEP menu and his :wacko:

Edit: Ok I see it

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

http://grc.com/sn/notes-020.htm

Steve Gibson has a temporary solution. I trust this man.

This fix has been posted on this topic a few times already. Another way to avoid the exploit is to enable DEP. Software DEP alone will prevent it in Windows Server 2003 at least.

Does anyone know why I can't infect a fresh install of XpSp2 in VmWare? No settings have been changed nor have any programs or updates been installed. I'm trying to trace all the changes this thing makes but I want to do it in VmWare so I can continue working on something else.

Edited by Mr. Dick C. Normous
Mentor

tkyoshi

Posted
Posted

okay, can anyone confirm this? :unsure:

Microsoft has confirmed it now:

I have DEP enabled on my system, does this help mitigate the vulnerability?

Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

Mentor

greg098

Posted
Posted

After being infected by this virus in my virtual machine, windows live messenger doesnt work. Maybe it broke it? It opens and I sign in, but then it breaks and tells me to send an error report.

Also, on Microsoft's report, it tells users to use Microsoft Anti-Spyware to keep their system protected. I done a scan with it and it didnt even get rid of it. Infact is told me that my default home page was C:/secure.html lol which in fact was not my original homepage at all.

Mentor

madnuke

Posted
Posted

Well everyone is going to be back to work tomorow or so it seems, school starts this week, people going back to uni, this is when the problems will start. Unpatched machines with people with no more little computer knowledge than opening up word, they wont know what a DLL file is. This thing is using emails, IM, P2P and websites that takes about every way to get infected, the one thing I know is as soon as a fix comes out I'm going to burn a few cds for the influx which will be at work.

Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

1) Firefox 1.0 was released a little over ONE year ago

2) You can still become infected using Firefox, you just have to download the file first

I use Firefox and I do loathe IE, just don't spread FUD, dude.

Apprentice

Havin_it

Posted
Posted

QUESTION: What is the situation with Win9x?

This has been largely ignored as people fret over WinNT and family, but let's not forget there are plenty folk out there running Win 95/98/ME, and I can see virtually no advice for them.

This concerns me as I have one 98SE and two ME users in my immediate circle. (My mum has Win95 but no Internet lol) My warnings of doom are a little empty if I can't give them any concrete information besides "use Firefox and, umm, y'know, just be careful..." These are not the most geeky people, either.

What system files do we need to look at with these OSes? Are there DLLs to be unregistered? Is GDI+ the same on these OSes? I think we must be told!

The only mention I've found about these OSes (apart from in the MS advisory) is from the ISC diary, http://isc.sans.org/diary.php?storyid=994

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.

Not exactly very helpful...!

Anyhoo, I guess the next 24 hours will be very telling. Why the hell is this not getting more press?!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Apple Maps

      By goretsky · Posted

      Hello, It would appear so, according to https://finance.yahoo.com/news/how-to-hide-your-home-on-google-maps-apple-maps-204146687.html. Regards, Aryeh Goretsky      
    • AMD 9070XT

      By goretsky · Posted

      Hello, The Nvidia Founders Edition 3080 video card is approximately six years old, correct? Have you looked into whether replacement fans are available for it? Perhaps replacing those will improve cooling, especially when combined with cleaning the card's heatsink and replacing the thermal interface materials. Regards, Aryeh Goretsky  
    • DuRoBo Krono Review: Portable E-Ink reader with great ideas that need a bit of improvement

      By goretsky · Posted

      Hello, While ~104 GB of space may seem generous (at least compared to other e-readers which have 8-32GB), I feel at this price point the device should have a Micro SDXC card slot for expansion, particularly if it allows audio books to be installed and played. I hope to see more reviews of 6" phone-sized e-readers on Neowin in the future. It will be interesting to see how they compare. Regards, Aryeh Goretsky
    • Sandboxie Plus 1.17.8 / Classic 5.72.8

      By Copernic · Posted

      Sandboxie Plus 1.17.8 / Classic 5.72.8 by Razvan Serea Run programs in a sandbox to prevent malware from making permanent changes to your PC. Sandboxie allows you to run your browser, or any other program, so that all changes that result from the usage are kept in a sandbox environment, which can then be deleted later. Sandboxie is a sandbox-based isolation software for 32- and 64-bit Windows NT-based operating systems. It is being developed by David Xanatos since it became open source, before that it was developed by Sophos (which acquired it from Invincea, which acquired it earlier from the original author Ronen Tzur). It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing. Sandboxie is available in two flavors Plus and Classic. Both have the same core components, this means they have the same level of security and compatibility. What's different is the user interface the Plus build has a modern Qt based UI which supports all new features that have been added since the project went open source. The Classic build has the old no longer developed MFC based UI, hence it lacks support for modern features, these features can however still be used when manually configured in the Sandboxie.ini. Sandboxie Plus 1.17.8 / Classic 5.72.8 release notes: Added added DisableCustomTitleOpt=[process,][y|n] to allow [#] sandboxie title markers on custom-titlebar windows (Delphi VCL, Qt, Electron) that were previously skipped to prevent DWM repaint CPU loops #5387 Changed updated bundled ImDisk driver to 3.0.2 #5419 Fixed fix Suppress logs for expected non-user SIDs #5422 SbieSvc.exe: SBIE2218/2219 error when run program as administrator #5417 fixed explorer.exe crashes in Application Compartment when Huorong Security is installed #5423 Download: Sandboxie Plus (64-bit) | 23.5 MB (Open Source) Download: Sandboxie Classic (64-bit) | 3.0 MB Links: Sandboxie Website | GitHub | ARM64 | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • what other retro software do yall use

      By goretsky · Posted

      Hello, Christian Maas' XVI32 is a nice (and very small) hex editor. Speaking of hex editors, many years ago a colleague and I who both worked at Tribal Voice managed to edit a copy of the company's PowWow instant messaging client to make it behave better now that all of its lookup servers and other server-side tech was gone.  The program didn't support NAT (RFC-3022 was introduced in January 2001, the same time Tribal Voice was shuttered), but it still worked okay if you manually set up port-forwarding on your router.  The server at http://powwow.jazy.net/ hosts a copy (usual warnings about downloading and running untrusted code from random internet servers apply). I occasionally use some tools like Funduc Software's Search and Replace and Application Mover when I need to make mass-edits to text-based files or move programs with a hard-coded installation directories, respectively.  When I need to figure out the exact LCD panel inside of a laptop, EnTech Taiwan's Monitor Asset Manager is my go-to tool for that purpose. JD Design's website (now hosted on github.io) has a number of interesting freeware and shareware utilities.  I used to use their TouchPro utility to set the file timestamps on software I was mastering to match its version number (e.g., version 3.00 of a program had all of its files dates set to 3:00AM, and so forth). Karenware has a number of interesting freeware utilities, too. Regards, Aryeh Goretsky  

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      509
    2. 2
      +Edouard
      198
    3. 3
      PsYcHoKiLLa
      138
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      82
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!