Windows zero day nightmare exploited - Page 2

acedriver · 3rd Jan 2006, 06:39 AM

Quote:

On December 31st, a new and improved version of the WMF exploit had been published. The new exploit generated WMF files that were different enough to bypass nearly all Anti-Virus and IDS signatures. Different methods of distributing the virus, such as e-mails and instant messenger chats have already been seen in the wild, as more and more worms and trojans have been utilising the exploit to gain access to computers running the Windows operating system.

SANS and many other security sites recommend un-registering Shimgvw.dll (Microsoft picture and fax viewer) and using the unofficial patch to protect aginst the virus, until Microsoft can release an official patch. A virus scanner isn't enough to protect against some of the more advanced variants of the exploit.

SANS Internet Storm Center article
F-Secure Weblog
Unofficial patch site

Adrian Wong · 6th Jan 2006, 01:47 AM

Quote:

Originally Posted by acedriver

until Microsoft release a patch, you should unregister the dll..

Unregistering it right away!!

acedriver · 6th Jan 2006, 05:39 AM

WMF patch released early.

Security Update for Windows XP (KB912919)

Here's the other platforms also:
Security Update for Windows Server 2003 (KB912919)

Security Update for Windows 2000 (KB912919)

Security Update for Windows XP x64 Edition (KB912919)

Security Update for Windows Server 2003 64-bit Itanium Edition (KB912919)

The Security bulletin ( MS06-001 ) is now available and confirms this covers the WMF vulnerability.

Graphics Rendering Engine Vulnerability - CVE-2005-4560:

Quote:

A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Recommendation for updating:

1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6. Reboot one more time just for good measure

http://isc.sans.org/

Adrian Wong · 6th Jan 2006, 05:45 AM

Argghhh!!! I JUST installed the temporary patch!!!

Thanks for the update!

Chai · 6th Jan 2006, 08:05 AM

Cool thanks for the update!

buildcustompc · 4th Feb 2006, 02:09 PM

I got this infection on my computer a couple times and it wasn't pretty. It contiually pops up that infested box in the bottom right and doesn't let you change you backround. Ad-aware detects some of it and removes it but it reinstalls itself. I have to do a complete reformat/reinstall to get rid of it. Thanks for the info about what this was!

Will

1031982 · 4th Feb 2006, 05:49 PM

I use ACDsee, because it's not made fomr MS.

6th Jan 2006, 05:45 AM	#14 (permalink)
Adrian Wong Da Boss Join Date: 10 Oct 2002 Location: In front of my ASUS F8V notebook! Posts: 30,382 Reputation: 3147 Rep Power: 68	Argghhh!!! I JUST installed the temporary patch!!! Thanks for the update! __________________ Dr. Adrian Wong Tech ARP \| Blog @ Tech ARP \| The Free Trade Zone DYKT : The only offshore account I have is at the sand bank? We need PROGRAMMERS and TECHNICAL WRITERS! Contact us if you are a hot shot programmer or technical writer! My items for sale : 50x SD Card \| Memory Stick PRO \| Cyclone Energy Saver \| Seiko SS watch \| Tiger/Carlsberg beer jugs \| Travel Speakers \| Motorola V600 \| Nokia N90 SOLD! \| New Lowepro Mini Trekker AW Other items for sale @ the FTZ : Zalman CNPS9500 LED @ $20 \| Zalman CNPS7700 Cu @ $20 \| Zalman CNPS7000 Cu @ $20 \| Swarovski bracelet watches \| Dell 17" LCD \| Hi-Fi speakers \| English DIVX movies \| HP LaserJet toners! \| Office chairs

6th Jan 2006, 08:05 AM	#15 (permalink)
Chai Administrator Join Date: 6 Oct 2002 Location: Maranello Posts: 26,975 Reputation: 4108 Rep Power: 74	Cool thanks for the update! __________________ Chai (Contributor & Forum Admin) http://www.techarp.com/

4th Feb 2006, 05:49 PM	#17 (permalink)
1031982 Super Active Join Date: 25 Feb 2003 Location: USA Posts: 1,585 Reputation: 285 Rep Power: 9	I use ACDsee, because it's not made fomr MS. __________________ Running : Gigabyte EP45-DS3R, Intel E7200 C2D, 2GB DDR2 Dual Channel, WD Raptor 74GB, WD 500 GB HDD, ASUS 16X DVD-ROM, LiteOn 16X DVD+/-RW, 1.44 MB Floppy, ATI Radeon HD 3450, Dell 2005FPW, and a SB Audigy2 ZS PRO with Logitech Z5300e speakers.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Microsoft's nightmare inches closer to reality!	Dashken	News	0	26th Sep 2005 11:17 AM
Windows Services Exposed adn Expunge	kayFX	General Software	9	10th Jun 2005 09:32 PM

4th Feb 2006, 02:09 PM	#16 (permalink)
buildcustompc Newbie Join Date: 31 Jan 2006 Location: Florida Posts: 12 Reputation: 10 Rep Power: 0	I got this infection on my computer a couple times and it wasn't pretty. It contiually pops up that infested box in the bottom right and doesn't let you change you backround. Ad-aware detects some of it and removes it but it reinstalls itself. I have to do a complete reformat/reinstall to get rid of it. Thanks for the info about what this was! Will