Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Grand Master

+Elі Subscriber²

Posted
  • Subscriber²
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

Typing the command to stop the vulnerability while Microsoft puts out a patch will NOT totally break Windows Picture & Fax viewer or paint, it will just make it so those applications cannot open WMF files. and still there's a command to enable them back at any time.

And for those who cannot fix the wallpaper issue after getting rid of the virus, read my post Here

Link to comment
Share on other sites
Grand Master

Farstrider

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Someone else has asked how this can be free? My business does these sorts of repairs and I charge in the region of $50.00 an hour for any work of this nature and if any software is required I have to charge for it! I am a Microsoft Partner as well as an Eset Partner and these programs are NOT FREE! The only free product that you mentioned is CrapCleaner! I also doubt that you have removed all the problems! So as regards the last part of what you wrote, clients WILL pay, for sure!

Link to comment
Share on other sites
Mentor

tkyoshi

Posted
Posted (edited)

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?

Yes it does, the exploit will apparently be blocked if your CPU has DEP. You must however make sure it's on for everything and not just "essential services" (default).

You can also enable software DEP if your computer doesn't have a CPU that supports it in hardware but i don't know if software DEP will prevent this.

Edited by tkyoshi
Link to comment
Share on other sites
Mentor

tkyoshi

Posted
Posted

post-25252-1135902700_thumb.jpg

so as long as that option is set, I'm okay?

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

Link to comment
Share on other sites
Grand Master

canadian397

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

post-11767-1135903467_thumb.jpg

What happens if the exploit tries to run w/ [Hardware] DEP:

post-11767-1135903482.jpg

okay, can anyone confirm this? :unsure:

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

ya thanx for the video that was very informative

I saw that red button on 2 computers, the only way to get rid of it was to kill exporer.exe and then delete the .dll file in the system32 folder, this little bugger even runs in safe mode.

Link to comment
Share on other sites
Mentor

struct

Posted
Posted

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

just got this too :( gonna reboot in a sec see if that fixes it

Link to comment
Share on other sites
Proficient

er0n

Posted
Posted

Thenewbrgnewman, I'm not 100% sure as you can see you don't have Hardware DEP on your system. I haven't read any reports confirming whether Software DEP Does work against this exploit, so i would still be careful.

This is what the dialog looks like on a computer with Hardware DEP:

I don't see any difference between your DEP menu and his :wacko:

Edit: Ok I see it

Link to comment
Share on other sites
Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

http://grc.com/sn/notes-020.htm

Steve Gibson has a temporary solution. I trust this man.

This fix has been posted on this topic a few times already. Another way to avoid the exploit is to enable DEP. Software DEP alone will prevent it in Windows Server 2003 at least.

Does anyone know why I can't infect a fresh install of XpSp2 in VmWare? No settings have been changed nor have any programs or updates been installed. I'm trying to trace all the changes this thing makes but I want to do it in VmWare so I can continue working on something else.

Edited by Mr. Dick C. Normous
Link to comment
Share on other sites
Mentor

tkyoshi

Posted
Posted

okay, can anyone confirm this? :unsure:

Microsoft has confirmed it now:

I have DEP enabled on my system, does this help mitigate the vulnerability?

Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

Link to comment
Share on other sites
Mentor

greg098

Posted
Posted

After being infected by this virus in my virtual machine, windows live messenger doesnt work. Maybe it broke it? It opens and I sign in, but then it breaks and tells me to send an error report.

Also, on Microsoft's report, it tells users to use Microsoft Anti-Spyware to keep their system protected. I done a scan with it and it didnt even get rid of it. Infact is told me that my default home page was C:/secure.html lol which in fact was not my original homepage at all.

Link to comment
Share on other sites
Mentor

madnuke

Posted
Posted

Well everyone is going to be back to work tomorow or so it seems, school starts this week, people going back to uni, this is when the problems will start. Unpatched machines with people with no more little computer knowledge than opening up word, they wont know what a DLL file is. This thing is using emails, IM, P2P and websites that takes about every way to get infected, the one thing I know is as soon as a fix comes out I'm going to burn a few cds for the influx which will be at work.

Link to comment
Share on other sites
Rising Star

brotherrabbit

Posted
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

Link to comment
Share on other sites
Grand Master

+M2Ys4U Subscriber¹

Posted
  • Subscriber¹
Posted

Well, people shouldn't be using Internet Explorer, they've had almost two full years now to switch to Firefox :)

but anyway, I hope it breaks the world for a day adn I get my vacation day (today) back, tomorrow.!

1) Firefox 1.0 was released a little over ONE year ago

2) You can still become infected using Firefox, you just have to download the file first

I use Firefox and I do loathe IE, just don't spread FUD, dude.

Link to comment
Share on other sites
Grand Master

NoneAvail

Posted
Posted

i've spend 4 hours cleaning out my uncles computer yesterday because of this. he've had more spyware/adaware then ho with aids. it's a pain in da ass. it also disables msconfig.exe

hijacks your browser also. god dame

Link to comment
Share on other sites
Apprentice

Havin_it

Posted
Posted

QUESTION: What is the situation with Win9x?

This has been largely ignored as people fret over WinNT and family, but let's not forget there are plenty folk out there running Win 95/98/ME, and I can see virtually no advice for them.

This concerns me as I have one 98SE and two ME users in my immediate circle. (My mum has Win95 but no Internet lol) My warnings of doom are a little empty if I can't give them any concrete information besides "use Firefox and, umm, y'know, just be careful..." These are not the most geeky people, either.

What system files do we need to look at with these OSes? Are there DLLs to be unregistered? Is GDI+ the same on these OSes? I think we must be told!

The only mention I've found about these OSes (apart from in the MS advisory) is from the ISC diary, http://isc.sans.org/diary.php?storyid=994

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.

Not exactly very helpful...!

Anyhoo, I guess the next 24 hours will be very telling. Why the hell is this not getting more press?!

Link to comment
Share on other sites
Mentor

madnuke

Posted
Posted

Its not getting to the press because their systems havn't been affectet yet, mark my worlds it will be reported if everything sets off as people get back to work and normal life.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.