Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Mentor

madnuke

Posted
Posted

LOL its perfectly safe its off a Security based website, I would'nt be worried, this should proberly go on the main page because of how serious this is and to warn as many people as possible.

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Sawyer12 the video above is from a trusted site, it contains nothing, still if you don't want to watch it I can tell you that if you are infected you ll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan, At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

spyware_warning.png

That's what you will see on your system tray too if you are infected.

Mentor

madnuke

Posted
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong. Seems ok with websites this will proberly block WMF/EMF which is good. And the good thing is you can unregister and register the DLL.

http://www.microsoft.com/resources/documen...s/regsvr32.mspx

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong.

Could you elaborate more on that? where did you get that info from? thanks.

Mentor

madnuke

Posted
Posted

http://isc.sans.org/

Well they just posted it here, but I thought I saw this before that was posted :huh:

edit: found it on a blog comments of Sunbelts site.

Ah well me and a friend are trying to fix it the file it effects with the exploit is SHIMGVW.DLL so I guess unregistering prevents Windows picture and fax viewer from opening it automatically, NOTE you can still download this so it sort of makes it like Firefox level safe for those who use IE.

Grand Master

acedriver

Posted
Posted
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

http://isc.sans.org/

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

Microsoft has officially put out a statement check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

http://isc.sans.org/ is the one publishing that momentary fix, however be aware it will break Windows Picture & Fax viewer and Paint and possibly other application whenever they attempt to open a WMF type of file.

Mentor

greg098

Posted
Posted

Here's some screenshots i took of the virus in a virtual machine...Whats strange is, I got this virus about 3 months ago! I eventually got rid of it, after hours of deleting crap...but i kept getting plastered with adverts in internet explorer and firefox, even after I had made sure I had gotten rid of this virus. I eventually wiped my computer as it was beyond a joke. There was nothing in Task Manager, yet I would get about 10 adverts every minute...even flash ones that I couldnt close! yet still nothing in Task Manager.

I really hope a patch is released for this soon, as I do not want to get this virus AGAIN!

post-73728-1135836234_thumb.jpg

post-73728-1135836304_thumb.jpg

Collaborator

Mr. Dick C. Normous

Posted
Posted

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

Thank you Tkyoshi for responding. I am going to create an image of my root drive and give this a try now. I think I am safe but a false sense of security can be worse than being insecure. Right now I am browsing the web with images disabled but I don't really like it LOL. Almost all of my security settings (all but three) are set to the defaults so I am curious what will happen. I will post my finding in about thirty minutes.

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Well this has been interesting to say the least. While in IE the WMF file did nothing (expected). Whether viewing the file or clicking the link nothing happened. Once saved to my hard drive and opening the file in Image viewer the exploit was able to run. I denied BOOT.INX access to the internet and after a reboot almost all was well. The task manager was disabled but that can be fixed via gpedit.msc or the registry. I also found the following registry keys were created.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

and

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

I am not a security professional but these keys look like they allow boot.inx to be accepted by Windows Firewall. So far it looks like a decent firewall and a little knowledge can keep you fairly safe from this. I will try a few more things and post the results.

EDIT: I found something else out. If the file is saved locally DO NOT EVEN HOVER OVER IT!!! Even if its on your desktop without a preview it will allow the exploit to run.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Mentor

tkyoshi

Posted
Posted

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Awsome info there Mr. Dick C., thanks for sharing!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Samsung Galaxy Z Fold 8, Flip 8, Z Fold Wide: Everything you need to know

      By The Werewolf · Posted

      Samsung Galaxy Z Fold 8, Flip 8, Z Fold Wide: Everything you need to know The ONLY thing I need to know is the price, which I know will be way higher than I (and most people) are willing to pay for a phone... so basically nothing here I need to know. PS: Nice job getting that Apple reference to a non-existent and unrevealed product as "competition" in there. Cheque is in the mail.
    • AMD 9070XT

      By Steven P. · Posted

      Well I really think the repasting helped if your higher clocks have returned, maybe the next thing to look at is if there is a problem with your case airflow? I guess this because your 3080 has returned to optimal state, but is still staying too warm, which might suggest it was thermal throttling before you repasted, of which the only logical conclusion could be outside factors.
    • The official Funny Pictures thread

      By Steven P. · Posted

    • Samsung Galaxy Z Fold 8, Flip 8, Z Fold Wide: Everything you need to know

      By Hamid Ganji · Posted

      Samsung Galaxy Z Fold 8, Flip 8, Z Fold Wide: Everything you need to know by Hamid Ganji Galaxy Z Fold 7 - Image via Samsung The next generation of Samsung foldables is set to be unveiled next month at the second Unpacked event of the year. Samsung’s 2026 foldables are not expected to offer significant upgrades over their predecessors, with the Korean firm instead focusing on design refinements and conventional upgrades such as faster processors and better cameras. However, Samsung is reportedly planning to unveil an all-new passport-style foldable this year to rival Apple’s first foldable iPhone, which is expected to debut this September. Here’s a roundup of everything we know about Samsung’s upcoming foldable devices ahead of their official debut. When can we expect Samsung’s new foldables? The Galaxy Z Fold 7 and Z Flip 7 series were unveiled in July, and Samsung is expected to maintain this timeframe in 2026. Based on previous reports from Korean sources, Samsung will hold its Unpacked event on July 22 in London, UK, to pull back the curtain on the Galaxy Z Fold 8 series. The devices are also expected to hit the shelves a few weeks after launch. However, Samsung has yet to announce an official date. A new naming scheme? One of the most interesting changes we might see this year is a new naming scheme for Samsung’s latest foldables. SamMobile reported that since Samsung is expected to unveil three foldables this year, it has adopted a new naming strategy to simplify product identification for customers. Accordingly, the standard Galaxy Z Fold 8 will reportedly be called the Galaxy Z Fold 8 Ultra and will serve as the direct successor to last year’s Galaxy Z Fold 7. The “Ultra” suffix suggests the phone could feature higher-end specifications, such as additional rear camera modules. Samsung’s new passport-style foldable is expected to carry the Galaxy Z Fold 8 name without any suffix. This model is reportedly equipped with two rear cameras. No major changes are expected for the Flip model. Galaxy Z Fold 8 Ultra and Z Flip 8 anticipated specs Rumors over the past few months suggest Samsung is preparing several upgrades for its upcoming foldables, although the devices may continue to rely on larger batteries and faster charging speeds rather than dramatic design changes. The primary focus this year is expected to be the Galaxy Z Fold 8 and its wide-screen design. Galaxy Z Fold 8 Ultra official CAD renders - Image via AndroidHeadlines Here are the anticipated specifications for the Galaxy Z Fold 8 Ultra based on previous leaks: 6.5-inch outer display and 8-inch inner display, 120Hz refresh rate, and 2,600 nits peak brightness Snapdragon 8 Elite Gen 5 processor, paired with 12GB or 16GB of RAM and 256GB, 512GB, or 1TB of storage 4.1mm thickness when unfolded and a weight of 210g 200MP main camera, 50MP ultrawide camera, 10MP or 12MP telephoto camera, 10MP cover camera, and 10MP selfie camera 5,000mAh battery with 45W wired charging Android 17 and One UI 9 As for the Galaxy Z Flip 8, the device is not expected to be a major departure from its predecessor, although it could become slightly slimmer. Expected specifications include: Snapdragon 8 Elite Gen 5 or Exynos 2600 processor 12GB of RAM with 256GB and 512GB storage options 6.9-inch Dynamic AMOLED 2X inner dispaly and 4.1-inch Super AMOLED outer dispaly 50MP main camera, 12MP ultrawide camera, and 10MP selfie camera 4,300mAh battery with 25W wired charging Android 17 and One UI 9 Samsung’s foldables are also expected to launch with Gemini Intelligence, Google’s AI suite for automating tasks in Android ecosystem. Moreover, given current memory and component costs, some Galaxy Z Fold 8 Ultra and Z Flip 8 variants could see a price hike. Galaxy Z Fold 8 adopts a wide-screen design The centerpiece of the upcoming Unpacked event could be the Galaxy Z Fold 8, previously rumored as the Galaxy Z Fold Wide. This model adopts a passport-style form factor and is expected to compete directly with Apple’s iPhone Fold. Galaxy Z Fold 8 official CAD renders - Image via AndroidHeadlines Here’s what to expect: 7.6-inch primary OLED display and 5.4-inch cover display, 120Hz refresh rate, 2,600 nits peak brightness, and 4:3 aspect ratio Snapdragon 8 Elite Gen 5 processor, 12GB or 16GB of RAM, and 256GB, 512GB, or 1TB storage options 4,800mAh battery with 45W wired charging 50MP main camera, 50MP ultrawide camera, and 10MP selfie camera Android 17 and One UI 9 The three new foldable phones are unlikely to be the only devices unveiled at Samsung’s Unpacked event. The company is also expected to introduce the Galaxy Watch Ultra 2 and the Galaxy Watch 9 series.
    • Dopamine 3.0.6

      By Jaybonaut · Posted

      Thanks

  • Recent Achievements

    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      504
    2. 2
      +Edouard
      196
    3. 3
      PsYcHoKiLLa
      140
    4. 4
      ATLien_0
      89
    5. 5
      Steven P.
      81
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!