Windows zero day nightmare exploited

[acedriver]

Since no news about it is posted here..

F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.
A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.

Full article and source

More info from F-Secure

------
Microsoft has officially put out a statement, check it out at:

http://www.microsoft.com/technet/security/...ory/912840.mspx

It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command:

REGSVR32 /U SHIMGVW.DLL

-------
Complete step:

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type regsvr32 /u shimgvw.dll, and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with regsvr32 shimgvw.dll.

[Chai]

Crap. I use Windows Picture and Fax Viewer...

[Jet]

If not using Windows Picture and Fax Viewer, what should we use?

[acedriver]

Quote:

Originally Posted by Jet

If not using Windows Picture and Fax Viewer, what should we use?

Irfanview, XnView, Picasa, Acdsee

-------
more info:

Quote:

If you are infected you'll immediately notice because your desktop background will turn either black or blue and it will have a huge warning saying that you are infected, there will also be a warning and icon on your system tray telling you the same and prompting you to click on it to resolve the problem, however both warnings are fake and part of the virus to trick people into clicking and installing the rest of the trojan. At that point without clicking you will already be infected with a system you cannot change the desktop background to, several changes made to your registry and several .exe files placed in different areas of your system, you will also see that your system enters in a loop where everytime you restart the computer the same program tries to make you click and install the program, if you do then your system will be even more compromised.

This virus also tricks people cause it sends you to a page where supposedly you are going to buy an anti-spyware or anti-virus program, you ll be sending your information to a bogus site which will not give you any software at all. So far this is what I know about the virus, but there's lots more it can do and it appears there's several dangerous variants of it on the wild.

from neowin



That's what you will see on your system tray too if you are infected.

[peaz]

faststone viewer is also a pretty good viewer...

[aKho]

lucky i using ACDSee..
windows picture viewer not enough functions..

[acedriver]

I think it doesn't care what image viewer you use. As long it is executed, the worm start. If the file is saved locally DO NOT EVEN HOVER OVER IT!! Even if its on your desktop without a preview it will allow the exploit to run.

The only workaround right now is to unregister SHIMGVW.DLL.

[Chai]

So serious???

[Adrian Wong]

Hmm... I use Firehand Ember. It takes over the previewing and viewing of pictures. So do I still need to unregister that DLL?

[acedriver]

until Microsoft release a patch, you should unregister the dll..