Windows zero day nightmare exploited

[Rudy]

i had to fix a friends computer that had it.....its a pain in the ass to fix

[madnuke]

LOL its perfectly safe its off a Security based website, I would'nt be worried, this should proberly go on the main page because of how serious this is and to warn as many people as possible.

[+Ely]

Sawyer12 the video above is from a trusted site, it contains nothing, still if you don't want to watch it I can tell you that if you are infected you ll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan, At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

That's what you will see on your system tray too if you are infected.

[fascist]

Lol at first I though he was just linking me to the virus and being an a**hole then I just checked his join date and crap and went with it.

[struct]

that video is pretty freaky, to be honest.

[dragon2611]

hmm.. hoipe they release a patch soon.

hopefully if i do come across it my antivirus will catch it before it does anything.

[tunafish]

yes i had this and now i removed the bugger

[h3xis]

yes i had this and now i removed the bugger

i had to fix a friends computer that had it.....its a pain in the ass to fix

uh...how?

[tunafish]

i formatted my pc as avg refused to do this, also this was in nthe wild last week

[madnuke]

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong. Seems ok with websites this will proberly block WMF/EMF which is good. And the good thing is you can unregister and register the DLL.

http://www.microsoft.com/resources/documen...s/regsvr32.mspx

[+Ely]

Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.

This is what I read somewhere, this seems like the only preventative thing to stop it at the moment until MS get up and realise something is wrong.

Could you elaborate more on that? where did you get that info from? thanks.

[madnuke]

http://isc.sans.org/

Well they just posted it here, but I thought I saw this before that was posted :huh:

edit: found it on a blog comments of Sunbelts site.

Ah well me and a friend are trying to fix it the file it effects with the exploit is SHIMGVW.DLL so I guess unregistering prevents Windows picture and fax viewer from opening it automatically, NOTE you can still download this so it sort of makes it like Firefox level safe for those who use IE.

[acedriver]

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

http://isc.sans.org/

[Lip Sin]

Does the exploited still work under LUA account?

[+Ely]

Microsoft has officially put out a statement check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

http://isc.sans.org/ is the one publishing that momentary fix, however be aware it will break Windows Picture & Fax viewer and Paint and possibly other application whenever they attempt to open a WMF type of file.

[greg098]

Here's some screenshots i took of the virus in a virtual machine...Whats strange is, I got this virus about 3 months ago! I eventually got rid of it, after hours of deleting crap...but i kept getting plastered with adverts in internet explorer and firefox, even after I had made sure I had gotten rid of this virus. I eventually wiped my computer as it was beyond a joke. There was nothing in Task Manager, yet I would get about 10 adverts every minute...even flash ones that I couldnt close! yet still nothing in Task Manager.

I really hope a patch is released for this soon, as I do not want to get this virus AGAIN!

[Mr. Dick C. Normous]

Anyone know if this affects Windows Server 2003?

[tkyoshi]

Anyone know if this affects Windows Server 2003?

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

[Mr. Dick C. Normous]

Yes it does but under the Enhanced Security Config (if enabled) it should prevent it from automatically launching, you would have to click on the link for it to launch.

Thank you Tkyoshi for responding. I am going to create an image of my root drive and give this a try now. I think I am safe but a false sense of security can be worse than being insecure. Right now I am browsing the web with images disabled but I don't really like it LOL. Almost all of my security settings (all but three) are set to the defaults so I am curious what will happen. I will post my finding in about thirty minutes.

[Mr. Dick C. Normous]

Well this has been interesting to say the least. While in IE the WMF file did nothing (expected). Whether viewing the file or clicking the link nothing happened. Once saved to my hard drive and opening the file in Image viewer the exploit was able to run. I denied BOOT.INX access to the internet and after a reboot almost all was well. The task manager was disabled but that can be fixed via gpedit.msc or the registry. I also found the following registry keys were created.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

and

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

I am not a security professional but these keys look like they allow boot.inx to be accepted by Windows Firewall. So far it looks like a decent firewall and a little knowledge can keep you fairly safe from this. I will try a few more things and post the results.

EDIT: I found something else out. If the file is saved locally DO NOT EVEN HOVER OVER IT!!! Even if its on your desktop without a preview it will allow the exploit to run.

Edited December 29, 2005 by Mr. Dick C. Normous

[viciv]

thanks for the news :)

[Mr. Dick C. Normous]

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

[tkyoshi]

Deleting the file extension in Windows DOES NOTHING. Even without being directly associated with Image viewer the exploit will run. I have tried associating wmf files with Photoshop and Internet Explorer and neither seems to work fully. They will keep the file itself from running but the exploit will still execute if the file is hovered over. Unregistering SHIMGVW.DLL seems to be the best/only way around this. It keeps the file from running and DOES allow you to hover over the file without being infected. I am still running the same install of Windows Server 2003 as I originally started with. The only thing I have running for protection is ZoneAlarm and all is still well. I never received the full infection. If you are at all uncertain PLEASE unregister SHIMGVW.DLL as posted by Madnuke. You can do so by clicking start and then run and entering the following command.

regsvr32 /u SHIMGVW.DLL

After a patch has been released you can re-enable Image viewer by running

regsvr32 /i SHIMGVW.DLL

That's it for tonight folks. If I learn anything else I will post it.

Awsome info there Mr. Dick C., thanks for sharing!

[madnuke]

I posted that before, so you don't need to copy me twice :laugh:

[er0n]

I posted that before, so you don't need to copy me twice :laugh:

Congratulations.