PDA

View Full Version : Very serious new Virus... one of the craziest ones I have ever seen. UPDATE!


Hazdaz
12-30-2005, 03:45 AM
http://forums.somethingawful.com/showthread.php?s=&threadid=1759903&perpage=40&pagenumber=1

Read up on it.... really serious stuff here.... (and one more reason why I think forums should NOT allow silly avatars and sigs)

There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)


WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.

This is serious stuff guys, so watch out... and this being a visual forum, I just wanted to give you gyus the heads-up.

Jozvex
12-30-2005, 04:17 AM
Like.....woah!

Really scary!

Beamtracer
12-30-2005, 04:31 AM
This is a very major exploit, and should be taken very seriously by all Windows users.

eWeek is describing this exploit as "Another WMF" (Windows Major Foul-Up).
http://www.eweek.com/article2/0,1895,1906513,00.asp

The problem is Microsoft's image format, called WMF (http://en.wikipedia.org/wiki/Windows_Metafile). eWeek suggests that the WMF image format has been officially ruined. These image files will now always be riddled with malware, and the format should never be used again.

The exploit arises when you open a WMF image file that arrives in an email, or visit a website displaying WMF images.

USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser.
Using Firefox (http://www.mozilla.com/firefox/) reduces the risk, also because Firefox does not load pop-up ads by default (unlike IE that lets them through).

I would suggest using Firefox (http://www.mozilla.com/firefox/), going into the preferences, and setting it to display no images. Leave it that way until a better fix arrives.

Ideally, all browsers should be patched so that they never display WMF images.

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

Also, don't click on any spam emails. Spam emails are enticing people with porn pictures, free software and other bait, but when you click on the link you get directed to a malicious website which is waiting to exploit your machine.

Another alternative would be to add Linux to your machine, which is immune to this exploit.
[Edit: see later post (http://forums.cgsociety.org/showpost.php?p=2945573&postcount=69) regarding this.]

Maneswar
12-30-2005, 04:44 AM
Wow. This really really sucks. Images / emoticons / avatars / pixels are everywhere. There's no hiding, except to keep using Firefox for now. I'm trying to find out if any AV vendors have a fix or even knowledge of this yet.

Maneswar

gardocki
12-30-2005, 04:49 AM
So what exactly could does this exploit allow a virus or hacker to do once they get it on your machine?

Jozvex
12-30-2005, 05:06 AM
From the thread linked above:

WHAT DOES IT DO?The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. Here's a video of what this version is doing: http://www.websensesecuritylabs.com...s/wmf-movie.wmv (thanks Merijin).

So I guess it can do anything any other virus/trojan can do, because it can install them!

Beamtracer
12-30-2005, 05:09 AM
So what exactly could does this exploit allow a virus or hacker to do once they get it on your machine?
I understand the initial ones are dropping a payload of adware and spyware into your computer. However, now that the exploit has been discovered, security experts fear that even more malicious variants will appear in the near future.

Hazdaz
12-30-2005, 05:28 AM
I have NEVER liked how some forums allowed signatures and avatars because of how messy they end up making the forum look... now it's much more than just an aesthetic issue, but a safety one.

Let's put it this way... someone could VERY easily sign onto this very forum. post up his avatar, and anyone that loads up his posts would be screwed. Not good. Not that I expect any forums to change their policies, but it's a risk none the less.

(if you read the link, someone on that forum did exactly that. Not sure if he did it on purpose or not, but either way that's some crazy shit)

NeOmega
12-30-2005, 05:34 AM
Not true hazdaz, lets not get hysterical.

Avatars are generaly not wmf format, in fact I know very few forums that even support them.

Also, the picture has to be viewed with the windows media and fax viewer, which I believe is what browsers use, nonetheless, I expect firefox will soon have an option not to display .wmf files.

BTW, I have read google desktop almost guarantees infection.... I knew that program was a security nightmare waiting to happen... not to mention it's use of the LSP stack causes alll sorts of headaches with other applications.

Hazdaz
12-30-2005, 05:52 AM
Per the site:
"There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)"

"The file could also be a WMF renamed to any other image type, or possible other filetypes."

"if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER."

Sometimes it is better to be a little "hysterical" than sorry... and in actuality, I don't think that term is warranted in this case, since in my mind 'hysterical' connotes something that really isn't a threat... while in this case it is a very real threat.


What would happen if you had an infected WMF file, renamed it into a GIF or JPG and then set that as your Avatar or sig?

EricBartlett
12-30-2005, 06:05 AM
Checked out GRC.com(Gibson Research Center) and found a quick fix of sorts. Click here (http://www.grc.com/sn/notes-020.htm)
After running the fix, windows fax and picture viewer won't show thumbnails or run when you doubleclick a picture file. Hopefully a patch will be released soon as this is looking to be a very nasty exploit....

Stuff like this really gets me steamed...

NeOmega
12-30-2005, 06:08 AM
"The file could also be a WMF renamed to any other image type, or possible other filetypes."


And as I already stated, you would need to open these in Windows Fax and picture viewer.

If you try to open them in a browser, you will get the broken picture symbol.

I am sorry, I should not have used the word hysterical, but I don't think it calls for disabling of signatures or avatars.

Any idiot can link to an infected website in thier signature, they will nto last on the forums long, but I don't know of any forums that allow the .wmf's for avatars.

Beamtracer
12-30-2005, 06:19 AM
It's not likely to be the avatars. It's the ads that may be a problem.

I'm sure this news from eWeek (http://www.eweek.com/article2/0,1895,1906965,00.asp) will make people very angry...
December 29, 2005 --- More adware networks are taking advantage of the Windows Metafile Format flaw, presenting exploited banner ads on Web sites.

Exploits of the WMF (Windows Metafile Format) flaw continued on Thursday as advertising networks took advantage of the vulnerability to spread their "products."

Several security lists and Weblogs warned that the Exfol adware network was presenting coded WMF images on rotating banner ads.

Researchers said that sites running pop-up advertisements from the network will infect viewers with vulnerable systems.

"You don't have to go to a crack site or a porn site," observed a posting on the blog of firewall vendor Sunbelt Software USA, of Clearwater, Fla.

"You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited," the posting continued.

As I write this, I notice that CGTalk has taken down all externally hosted advertisements. Just guessing, but maybe that is a precaution to protect users. Good move, if that's so.

tozz
12-30-2005, 10:23 AM
;Disable Windows Picture and Fax Viewer
[-HKEY_CLASSES_ROOT\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\ShellImagePreview]

Don't think it'll solve anything, but can't remove too much of that Microsoft stuff ;)
(As usual you play with your registry at your own risk, this is from a part of my post-install script).

sirap
12-30-2005, 11:23 AM
This is bad..really bad. It's times like this that make me wish I had a mac

DanSilverman
12-30-2005, 12:25 PM
It's times like this that make me wish I had a mac

It is not the OS or the platform. It just happens to be what is targetted. These virus creators want to get the most "bang for their buck", so to speak, and so they attack Windows-based systems because most of the world uses Windows. If the world was a MAC world then the opposite would be true and people like you would be crying, "It's times like this that make me wish I had a PC!"

Joblh
12-30-2005, 12:29 PM
glad i got a mac :D

sirap
12-30-2005, 12:29 PM
doesn't matter to me, if using a mac till this problem gets solved keeps me safe, i'm all for it.

jAcK_sAmuRaI_jAcK
12-30-2005, 12:37 PM
Crazyy..So If I get infected and it tries to connect to spy severs to download spyware or virus and I have a firewall..wouldn't the firewall notice it connecting and ask for "my" permission?

after all the stupid piece of sand is my slave..:rolleyes:

eek
12-30-2005, 01:28 PM
err so this is like the .JPG virus that came out a year ago. Image based viruses have been out a while. Just updated norton.


eek

JeroenDStout
12-30-2005, 02:33 PM
Hooray for having world-wide open standards and not having to deal with this!

Oh, no, wait, wrong universe. :D

kaiser_pro
12-30-2005, 02:49 PM
it only affects IE and windows explorer (or anthing using the ms .WMF libs) so firefox should be unaffected.

How ever if you make a habit of using your PC as a fax, or downloading and using .wmf files, then you might be screwed.


seeing as ashow noone in their right mind uses .wmf this will affect the people who still use an un-tyed down version of IE (and those people are beyond help anyway :P)

archerx
12-30-2005, 03:29 PM
I saw some guy named "blue reptile" getting permabanned in another big forum for uploading an image with that virus... so if any of you guys have forums keep an eye out...

sirap
12-30-2005, 03:32 PM
damn..this just gets worse by the minute.

I think i'll unplug my pc from the internet, i'll have to use my psp for browsing

BigJay
12-30-2005, 03:40 PM
The problem with WMF and alot of MS' other media file formats is that they can contain links to the actual media, although in this case someone figured out how to create a version that links/imbeds software. I avoid all of those asf/wmf formats. I've even run across Mov files that jump you to adware sites. It is not as common yet but I would not be suprised to see mov and divx based hacks show up. The new version of divx allows some advanced controls to get DVD like interfaces which means that it can be exploited if hackers took the time to hack it.

After hackers took advantage of the email and browser scripting and auto install features you would think they would check anything else they wrote that tried to do to much.

Tozz - what else does your setup script do?

chrisWhite
12-30-2005, 03:49 PM
Just hit the updates on everything, I'm not too worried.

animateddave
12-30-2005, 03:52 PM
I'm soooooo scared, oh wait I'm not.

SheepFactory
12-30-2005, 04:22 PM
solution: buy a $100 computer for internet use , use the workstation for work only.

JMcWilliams
12-30-2005, 04:24 PM
indeed, or you could dual boot your PC, two seperate installs of windows. Then you just choose which one to boot up at startup.

knellotron
12-30-2005, 04:41 PM
indeed, or you could dual boot your PC, two seperate installs of windows. Then you just choose which one to boot up at startup.

:banghead:

If you're going to dual-boot, why make both sides a high-maintenance, virus-prone OS?

JMcWilliams
12-30-2005, 05:14 PM
:banghead:

If you're going to dual-boot, why make both sides a high-maintenance, virus-prone OS?

when the software you use does not work on anything else :(

paintbox
12-30-2005, 05:26 PM
Would a knoppix live (or similar) boot be a good alternative for surfing ?

Hazdaz
12-30-2005, 05:30 PM
solution: buy a $100 computer for internet use , use the workstation for work only.
:rolleyes:

Where the hell is the logic in that??

Sooo next time you need an updated driver for your workstation, or Windows needed updating, or your actual work application itself needs a patch, what are you gonna do? What happens if you need to email a work file? How about needing reference material for a project off of Google?

Kai01W
12-30-2005, 05:44 PM
Apparently you can disable the function by:

regsvr32 -u %windir%\system32\shimgvw.dll

You won't have thumbnail preview anymore but it should make you save till the patch comes out.
If you wanna make sure. Rename the .dll file. Don't know if that might affect stability of some apps though

All the more reason not to boot into windows...

-k

Neil
12-30-2005, 07:13 PM
:rolleyes:

Where the hell is the logic in that??

Sooo next time you need an updated driver for your workstation, or Windows needed updating, or your actual work application itself needs a patch, what are you gonna do? What happens if you need to email a work file? How about needing reference material for a project off of Google?

Put the two computers next to each other and get a router. Doesn't seem that complicated to me.

SheepFactory
12-30-2005, 07:21 PM
:rolleyes:

Where the hell is the logic in that??

Sooo next time you need an updated driver for your workstation, or Windows needed updating, or your actual work application itself needs a patch, what are you gonna do? What happens if you need to email a work file? How about needing reference material for a project off of Google?


see neils post.

maybe if you spent %3 of the time you spent bitching on researching instead.. :rolleyes:

Hazdaz
12-30-2005, 07:22 PM
Put the two computers next to each other and get a router. Doesn't seem that complicated to me.

And then by linking them together, you have just exposed the workstation to all the ills of the evil interwebnets. Thus completely and utterly negating the point of having a seperate and osolated PC.

SheepFactory
12-30-2005, 07:26 PM
i can think of quite a ways to transfer files between the two without exposing the workstation to the internet. All I need to transfer is reference images anyway big deal , flash drives are quite cheap ;)

Not to mention you can dl and display all reference images on the cheap comp while working away on your workstation.

if i need a software update i can download that and put on the workstation computer same way. its not exactly rocket science hazdaz ;)

Hazdaz
12-30-2005, 07:48 PM
i can think of quite a ways to transfer files between the two without exposing the workstation to the internet. All I need to transfer is reference images anyway big deal , flash drives are quite cheap ;)

if i need a software update i can download that and put on the workstation computer same way. its not exactly rocket science hazdaz ;)

Do you seriously think before you post, or do you just like posting very erroneous and potentially dangerous things online - espesially concerning such topics that can be quite serious???

You might wanna go back to one of the more lighthearted threads that you so foolishly post in, cuz in this one, you are posting information that is flat out wrong and some people might follow your advice and think they are secure when infact they can very easily expose themselves to a virus. I can care less that you are wrong in those other threads - this one topic is just a little too serious to brush off your useless postings.

You obviously don't realize that viruses were around way before the internet was even invented - and in those days most of the time they were transmitted via exactly what you just mentioned... removable storage media. You transfer an infected file from one PC to the un-connected PC and you are royally screwed. Not only will the PC be infected, but since you so UNwisely kept it offline, it won't have an updated virus database either to help protect it.

And the idea that you can just transfer a software update or new virus database on a USB drive or burned CD is not only unpractical, but might soon not be possible. More and more new programs need to update themselves directly from the internet (many of them do it for copy-protection reasons). Try updating Windows with a simple file transfer - it wants to directly connect to the Windows Update website so it knows what your current config is like and to download only what you need and what not to bother with.

But please continue with your idiotic advice... maybe we will be lucky enough that all your PCs get infected and trashed by a virus so we don't have to bother with your postings.

thatoneguy
12-30-2005, 07:50 PM
Why sirap? Have you been infected with it yet? I always hear about these huge security vulnerabilities, the end of the world and all that. How does it usually affect me? It wastes my time reading some paranoid news items, and in a few weeks I never hear from it again.

If my computer was melting down, I might get frustrated, but that doesn't happen. From time to time I pick up a random virus that doesn't seem to be doing anything, delete delete 5 minutes, oh my!

SheepFactory
12-30-2005, 07:55 PM
Do you seriously think before you post, or do you just like posting very erroneous and potentially dangerous things online - espesially concerning such topics that can be quite serious???

You might wanna go back to one of the more lighthearted threads that you so foolishly post in, cuz in this one, you are posting information that is flat out wrong and some people might follow your advice and think they are secure when infact they can very easily expose themselves to a virus. I can care less that you are wrong in those other threads - this one topic is just a little too serious to brush off your useless postings.

You obviously don't realize that viruses were around way before the internet was even invented - and in those days most of the time they were transmitted via exactly what you just mentioned... removable storage media. You transfer an infected file from one PC to the un-connected PC and you are royally screwed. Not only will the PC be infected, but since you so UNwisely kept it offline, it won't have an updated virus database either to help protect it.

And the idea that you can just transfer a software update or new virus database on a USB drive or burned CD is not only unpractical, but might soon not be possible. More and more new programs need to update themselves directly from the internet (many of them do it for copy-protection reasons). Try updating Windows with a simple file transfer - it wants to directly connect to the Windows Update website so it knows what your current config is like and to download only what you need and what not to bother with.

But please continue with your idiotic advice... maybe we will be lucky enough that all your PCs get infected and trashed by a virus so we don't have to bother with your postings.


back to personal insults already hazdaz? typical of you.

Hmm not a single virus infection in 13 years , i must be doing something right. Who said you need to load windows on the cheap system? ever heard of linux?

I CAN connect the computer to internet if I need a windows update , you dont get viruses from microsoft.com . Stop being a alarmist and get some common sense.

Loverboy
12-30-2005, 07:56 PM
what are the effects of the viruz ?

I see nothing wrong with my computer but I re'installed windows couple of min ago, wouldnt mind doing it again to take all risks to minium level.

kabojnk
12-30-2005, 08:01 PM
Do you seriously think before you post, or do you just like posting very erroneous and potentially dangerous things online - espesially concerning such topics that can be quite serious???

You might wanna go back to one of the more lighthearted threads that you so foolishly post in, cuz in this one, you are posting information that is flat out wrong and some people might follow your advice and think they are secure when infact they can very easily expose themselves to a virus. I can care less that you are wrong in those other threads - this one topic is just a little too serious to brush off your useless postings.

You obviously don't realize that viruses were around way before the internet was even invented - and in those days most of the time they were transmitted via exactly what you just mentioned... removable storage media. You transfer an infected file from one PC to the un-connected PC and you are royally screwed. Not only will the PC be infected, but since you so UNwisely kept it offline, it won't have an updated virus database either to help protect it.

And the idea that you can just transfer a software update or new virus database on a USB drive or burned CD is not only unpractical, but might soon not be possible. More and more new programs need to update themselves directly from the internet (many of them do it for copy-protection reasons). Try updating Windows with a simple file transfer - it wants to directly connect to the Windows Update website so it knows what your current config is like and to download only what you need and what not to bother with.

But please continue with your idiotic advice... maybe we will be lucky enough that all your PCs get infected and trashed by a virus so we don't have to bother with your postings.

I don't see how your berating has much substance. And flaming isn't very cool, nor is it constructive.

thatoneguy
12-30-2005, 08:12 PM
Originally Posted by Sheep Factory
solution: buy a $100 computer for internet use , use the workstation for work only.


I don't know about you, but I'm usually working with CGtalk and google open on a second monitor. Reference and research. Pretty much essential in a work environment if you ask me.

SheepFactory
12-30-2005, 08:15 PM
yes so am I , the second computer is my reference and research computer tied to the second monitor with a switch that can be turned back to the primary computer in a second.

eek
12-30-2005, 08:21 PM
HEY! RESPECT THE SHEEP!
(sorry i dont like people making jibes at the mods)

If your machine(s) arent connected to the net and the images are scaned, or came from respected sites. Then i think it should be fine. Image based viruses have been around a long time. The whole .JPG thing blew over, MSN will bring out a patch soon enough - if you havent got a antivirus/spyware unstalled and you get this you can only blame yourself.

eek

thatoneguy
12-30-2005, 08:33 PM
Haha, it's something of a knee-jerk reaction, no offense intended towards sheep. At least once a week, our IT guy comes in and insists on disconnecting us from the internet permanently. Each time we have to demand he reinstate it and leave us alone now and in the future.

RobertoOrtiz
12-30-2005, 08:44 PM
Keep it light people


-R

chrisWhite
12-30-2005, 09:03 PM
yes so am I , the second computer is my reference and research computer tied to the second monitor with a switch that can be turned back to the primary computer in a second.
Really interesting solution, I like the idea of having a switcher on the second monitor. Does mean having another box, mouse and keyboard laying around though. Interesting indeed. :thumbsup:

JMcWilliams
12-30-2005, 09:11 PM
Chris,
Just get yourself a KVM switch, only need one set of controllers then. One mouse, one keyboard, one monitor can be switched to control a number of computers.
Like so...
http://en.wikipedia.org/wiki/KVM_switch
:D

chrisWhite
12-30-2005, 09:20 PM
Sweet, I'm going to have to look into this further, might be a lot easier than keeping everything super locked down on my main workstation (cough). Might just be the perfect thing to save my current computer to do when I get a new computer, well that and rendering.

Beamtracer
12-30-2005, 09:40 PM
It is not the OS or the platform. It just happens to be what is targetted. These virus creators want to get the most "bang for their buck", so to speak
I really think Microsoft screwed up on this one. I mean, executable code in a WMF image file? That's asking for trouble.

I think there was once a "JPEG virus", but it was actually some other file type masquerading as a JPEG. It was actually an OS virus.

The '.wmf' file format is badly planned and insecure. That's the core reason for this exploit, not the market share of the OS.

Then there's ActiveX. Also insecure, and I'd go so far as to say that Microsoft designed it without security in mind. Yet in the Internet Explorer web browser, Microsoft leaves it switched on by default. One of the reasons the Firefox browser is more secure is that by default, ActiveX is not installed.

I think the reason for all these exploits is because Microsoft left the front door wide open for the intruders to come in.

Neil
12-30-2005, 10:17 PM
And then by linking them together, you have just exposed the workstation to all the ills of the evil interwebnets. Thus completely and utterly negating the point of having a seperate and osolated PC.

Dude, i never said to link them together. It can be totally offline and you can turn your head to see the image/forum on the net connected computer. And if you need updates THEN you connect your computer and go to trusted sites. It's not like you'd download some porn .exe file on pc A and then just open it on pc B. That negates the whole point.

JeroenDStout
12-30-2005, 10:29 PM
I keep hoping there aren't virusses which become infectable through visuals. That you could watch this image on tv and next thing you know you're infected and can't help but spray-paint the image everywhere.

Hmm, there's a story in this.

I got copyright.

Schwinnz
12-30-2005, 10:43 PM
"Enjoy a world of opportunities with Microsoft Windows"

Leaves to wonder what exactly they meant by "opportunities".

IHaveFirstController
12-30-2005, 10:45 PM
I just read about this on www.slashdot.org (http://www.slashdot.org)


Taken from http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html



Start Quote

A Microsoft spokesperson said the company is investigating, though no official word from them yet. A couple of security firms, including Verisign's iDefense (http://www.idefense.com/), have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

End Quote


More information
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/29/AR2005122901456.htm
http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.htmll

SheepFactory
12-30-2005, 11:06 PM
Really interesting solution, I like the idea of having a switcher on the second monitor. Does mean having another box, mouse and keyboard laying around though. Interesting indeed. :thumbsup:

nope , like already mentioned all you need is a switcher and you are set , just one set of keyboard and mouse is enough to control both computers.

That way you can have all the benefits and security of linux on one computer while running windows on your workstation to use your win only apps. its a win win. :)

IHaveFirstController
12-30-2005, 11:12 PM
<--Not at all a computer expert

I don't see at all what is wrong with SHeep Factory's idea of having a seperate machine to access the internet. My workhorse hasn't tasted the net in 3 years :(. But it hasn't been too much of a hassle for me to update, maintain, and transfer files from other machines. (And that is me using public machines as oppose to one right next to it). Granted I don't use windows and am not vulnerable to this, couldn't you use something like md5 to verify file integrity before transfering to and from windows machine? For the paranoid. And as for antivirus software, could that help at all in detecting/deterring software exploits? Not mention one that was recently released. I think they are best at detecting known viruses, trojans, etc, but what is to stop the image from loading new spyware/adware/keyloggers(shivers) in its place? Hope this gets fixed soon.

DrQuincy
12-30-2005, 11:24 PM
It is not the OS or the platform. It just happens to be what is targetted. These virus creators want to get the most "bang for their buck", so to speak, and so they attack Windows-based systems because most of the world uses Windows. If the world was a MAC world then the opposite would be true and people like you would be crying, "It's times like this that make me wish I had a PC!"

Windows platforms are more prone since they run services and you don't have to be a root user to do any serious damage (like you do on *NIX systems).

Zarf
12-30-2005, 11:28 PM
err so this is like the .JPG virus that came out a year ago. Image based viruses have been out a while. Just updated norton.


eek

AFAIK Its just a buffer overflow exploit. Such exploits are conceptually nothing new. Dont see why anyone would be amazed by how this works.


Windows platforms are more prone since they run services and you don't have to be a root user to do any serious damage (like you do on *NIX systems).


As far as I know windows 'services' are typically used for the same things 'daemon' process on unix. You can have a daemon that causes vulnerabilities in your unix system just the same as you can have a service that causes vulnerabilities in you windows system.

Regardless of this, it is true that unix has a much better security model that makes it very easy to 'sandbox' any damage done by would-be attackers if they somehow manage to get in. We have 25 years worth of literature in the computer science field that covers why this is, so I dont think its worth going into here and now... people can always read a book.

Glad I'm on Unix for the moment (OSX).
Xarf

Zarf
12-30-2005, 11:36 PM
nope , like already mentioned all you need is a switcher and you are set , just one set of keyboard and mouse is enough to control both computers.

That way you can have all the benefits and security of linux on one computer while running windows on your workstation to use your win only apps. its a win win. :)

Even better than a switch (I think), I have my mac/pc set up so that I just slide my cursor off the left side of my macs screen and it appears on the pc monitor.... keyboard focus is transferred to the PC at that point as well. I can string togather as many computer systems as I like using
http://synergy2.sourceforge.net/

Like you said, its a *total* win-win :)

Cheers
Xarf

SheepFactory
12-30-2005, 11:38 PM
Even better than a switch (I think), I have my mac/pc set up so that I just slide my cursor off the left side of my macs screen and it appears on the pc monitor.... keyboard focus is transferred to the PC at that point as well. I can string togather as many computer systems as I like using
http://synergy2.sourceforge.net/

Like you said, its a *total* win-win :)

Cheers
Xarf

Excellent i didnt know of that software. thanks for the link man.

IHaveFirstController
12-30-2005, 11:42 PM
Windows platforms are more prone since they run services and you don't have to be a root user to do any serious damage (like you do on *NIX systems).


Hi. Not to single you out but I hear this a lot so...
I have *NOT*used all linux distros, but aren't some that run services like Samba (root privelages) after a default install?

As for serious damage, on my box, "rm -r ~" is about as serious as the damage can get :(

I am not trying to be the devil's advocate, but as it's been said, I think the fault lies with the authors who target windows because of its popularity.

edit

JDex
12-30-2005, 11:51 PM
You know... what's funny about this, is that MS is just noticing, or at least the world (I bet the MS team have known for a while).

circa '99 a true digerati (uber-geek) showed me how a secure UNIX system could be hacked in about 3 hours, and while his system was doing so... he showed off about 20 ways to take control of a Windows (win98) system... one involved the .wmf format. It was all way over my head, but was interesting none the less...

It's a trip!

Really though... Ali has illustrated the best way to feel secure on Windows... I don't regularly adhere to it... but if I was working on sensitive client data, or felt that there was something for me to worry about, I'd only surf on a dedicated system.

Just by being smart about my surfing/access habits, however... I've been virus/spyware free for over 6 years. It's not hard, not technical and certainly not impossible. Use common sense about where/how you surf, and there is little need for worry.

Zarf
12-30-2005, 11:56 PM
Hi. Not to single you out but I hear this a lot so...
I have *NOT*used all linux distros, but aren't any that run services like Samba (root privelages) after a default install?

As for serious damage, on my box, "rm -r ~" is about as serious as the damage can get :(

I am not trying to be the devil's advocate, but as it's been said, I the fault lies on the authors who target windows because of its popularity.

edit

The fault lies with the microsoft engineers who wrote code that was vunlerable to buffer overflow exploits. Having this occur in an essential component of the OS is pretty inexcusable (in this case, the GDI).

Most buffer overflow exploits in unix-land occur in user-space code. They seem to be rather common in windows 'kernel-space' code.... code written by microsoft itself though. Why is this tolerated by consumers if they want a secure OS?

Regarding your 'rm -r ~' statement; In unix, barring a buffer overflow exploit, its very difficult for an attacker to gain write access to parts of the system via an exploit in a process that is run by a user that only has read access to said parts of the system. Its for this reason that many standard daemons in unix have their own user (I dont know about Samba being run as root on a default install, but that sounds pretty scary to me).

Lesson: dont run untrusted applications as a user with enough permissions to wipe out your home directory or other important files.

Cheers
Xarf

Beamtracer
12-30-2005, 11:57 PM
I don't know how any IT manager running a corporate network on Windows could really claim that their system is secure with this sort of thing going on.

The end result is that just surfing to a website could cause Trojans and malware to be installed on the victim's computer.

I wouldn't mind betting that this current exploit causes more corporations to switch to Linux.
Windows platforms are more prone since they run services and you don't have to be a root user to do any serious damage (like you do on *NIX systems).
This is very true when comparing Windows to Linux and Mac OS X which are both UNIX derived OSes.

Take the recent example of music Compact Discs that installed 'rootkit' malware when the victim put the CD into the computer. These CDs had malware for both Windows and Mac OS X, yet it was the Windows users who got infected.

The reason is that the malware had difficulty penetrating the UNIX permissions of OS X. When the CD was inserted into a Mac, the OS issued 2 security warnings which the user had to click on, and in addition the user had to enter an administrator password before the malware could infect the OS.

However on Windows, the malware went straight through and infected the kernel (core of the OS).

Microsoft just isn't addressing security in a serious way. Rather than dwelling on it for days to find a way to preserve its precious WMF media format, they should just dump it tomorrow. They should issue a patch for Windows so that in its default setting it does not display any file ending in '.wmf'. That would bring a swift end to the current woes.

IHaveFirstController
12-31-2005, 12:16 AM
The fault lies with the microsoft engineers who wrote code that was vunlerable to buffer overflow exploits. Having this occur in an essential component of the OS is pretty inexcusable (in this case, the GDI).

Most buffer overflow exploits in unix-land occur in user-space code. They seem to be rather common in windows 'kernel-space' code.... code written by microsoft itself though. Why is this tolerated by consumers if they want a secure OS?

Regarding your 'rm -r ~' statement; In unix, barring a buffer overflow exploit, its very difficult for an attacker to gain write access to parts of the system via an exploit in a process that is run by a user that only has read access to said parts of the system. Its for this reason that many standard daemons in unix have their own user (I dont know about Samba being run as root on a default install, but that sounds pretty scary to me).

Lesson: dont run untrusted applications as a user with enough permissions to wipe out your home directory or other important files.

Cheers
Xarf


Hi Xarf, thanx for response.
I agree poor code does share blame in this happening, I just wanted to point out that the reason this is a problem is largley due to the people responsible for exploiting the vulnerabilities, and the reason the problem seems to plague windows is due to it's popularity.

Again, I am not at all a computer/security expert. 3d artitst first, hobbyist second.
As per samba

http://www.kb.cert.org/vuls/id/457622

from that article made public 11/15/2004

quote
An remote attacker could execute arbitrary code. The Samba daemon (smbd) typically runs with root privileges, in which case an attacker could gain complete control of a vulnerable system. An attacker may also be able to mount a denial-of-service attack.
endquote

regarding my statement about "rm -r ~"
and my disclaimer - again I am NOT computer expert, or linux expert, so this is really more of a question to those in the know

I am wondering how well a similar attack would fair if I were using something like firefox, konqueror, gaim, and the like. All of these processes are run by me, the user. I the user have read and write privelages to home (~), what makes linux so different that my data, my years of work, my music, and all would not be wiped out from a command executed in my name?

There is NO sarcasm in that statement, I honestly don't know if there is a difference in how this type of attack would affect a *nix system. Please reply

thanx

MadMax
12-31-2005, 12:17 AM
There is a slight bit of misinformation about this subject.

It is true that Firefox and Mozilla are effected by it, but there is a HUGE difference between HOW it effects those vs. IE.

IE automatically runs the crap, and allows it to install and run .exe files.

Firefox and Mozilla have one very slim advantage in that the pop up blocker, if enabled will stop the attack. Apparently the attack tried to install something that appears to be an anti virus scanner.

I ran into this about a week before I heard about this exploit while searching for reference materials, a link I clicked on redirected soemwhere, and I got hit with a pop up window asking me to allow Wankerantivirus.exe to install and run. I immediately cancelled and backout out of the site.

However there are far too many people that are just stupid enough to click ok.

Beamtracer
12-31-2005, 12:47 AM
solution: buy a $100 computer for internet use , use the workstation for work only.
Using Linux is a better way around this security nightmare.

Partition your hard drive. Use one partition for Windows, the other for Linux. Alternately, use a second drive for Linux.

For beginners, download one of the easier flavors of Linux, such as Ubuntu Linux (http://www.ubuntulinux.org/), which is free to download. Install it on your spare partition. It comes with the OpenOffice word processor suite, as well as Firefox web browser.

Now you can keep doing your 3D work in Windows. When you want to surf the web, reboot your machine into Linux. By doing all your web surfing in Linux you will be completely safe and immune from this current '.wmf' exploit.

One PC with 2 operating systems.

SheepFactory
12-31-2005, 01:05 AM
Using Linux is a better way around this security nightmare.

Partition your hard drive. Use one partition for Windows, the other for Linux. Alternately, use a second drive for Linux.

For beginners, download one of the easier flavors of Linux, such as Ubuntu Linux (http://www.ubuntulinux.org/), which is free to download. Install it on your spare partition. It comes with the OpenOffice word processor suite, as well as Firefox web browser.

Now you can keep doing your 3D work in Windows. When you want to surf the web, reboot your machine into Linux. By doing all your web surfing in Linux you will be completely safe and immune from this current '.wmf' exploit.

One PC with 2 operating systems.


That is what i am trying to say. by using a secondary cheap machine with linux and a switcher you dont have to reboot the machine everytime you want to surf the net you can do it while working.

kwshipman
12-31-2005, 04:22 AM
I basically do what Sheep has said, execpt that my work computer is a laptop and my internet/gamming system is a rather powerful desktop. My laptop stays off-line 90% of the time, only connecting to upload to my website or to send an email via Thunderbird if I'm not at home.

I love this because my work laptop's harddrive stays soo clean. My desktop machine gets littered with game demos, freeware and all the various internet crap that makes it's way onto one's machine. My laptop has only the programs that I need for school.

As far as updates, well, the vast majority of Windows updates are security patches. So if I'm not using my laptop for internet access, then I don't really need the patches. (although I do occasionally) And as stated, most other programs update themselves. I don't think that I have much of a risk if my laptop is only connected for a moment to let Photoshop update itself. I could be wrong, and if anyone has evidence of viruses being installed when an Adobe product or windows or any other program updates itself then let me know.

I strongly considered getting my wife a mini-mac for her to use as she only needed internet and Photoshop. If I was going to have a cheap internet-only terminal I would deffinatly go mac.

Dual-boot is deffinatly an option, but severly limits the useage of your PC in times of rendering. With two machines, I can have my work machine rendering and still be able to surf/play games on the other one.

I've had my machine crippled at the height of a deadline enough to never want to have my work machine online again.

Stahlberg
12-31-2005, 07:45 AM
Yeah I got the similar setup to what Sheep is talking about. I also use Kaspersky antivirus software, much better than damn Nortons.

Hmm, there's a story in this.
I got copyright.
sounds a lot like Snowcrash... and even a bit like Halloween 3. :)

kaiser_pro
12-31-2005, 01:23 PM
samba running as root isnt that much of a problem, becuase you still have to be root to change where/what samba can access.

but more to the point how many worms have you seen in the last year that are rampant and taget a non-windows system?

two:
blaster,
and what ever that bluetooth virus was (at this point i should point out that symbian OS is installed on a comparably large amount of devices to the PC)


the defence rests

JTF
12-31-2005, 01:40 PM
I am so happy this thing doesn't effect mac. I have to get my friends tons of anti-virus stuff though.

chrisWhite
12-31-2005, 02:32 PM
So how hard is it to set up a dual boot with Linux if you've got a free, unformatted partition ready for it? I've had Windows running for a little over a month, but I intentionally left a partition clear for Linux. But I read that you need to have the dual boot loader set up from the beginning, is that true?

Yeah I got the similar setup to what Sheep is talking about. I also use Kaspersky antivirus software, much better than damn Nortons.
No kidding, Norton sucks big time.

JeroenDStout
12-31-2005, 02:53 PM
sounds a lot like Snowcrash... and even a bit like Halloween 3. :)
Egads! I should've known.

Well, I did know somebody had thought of this before me. It was either knowing that or being very disappointed with the world :p

ajchung
12-31-2005, 03:10 PM
AFAIK Its just a buffer overflow exploit. Such exploits are conceptually nothing new. Dont see why anyone would be amazed by how this works.


The WMF exploit is not a buffer overflow exploit, but is a legacy design flaw. The Windows Metafile format was designed as far back as the Windows 3.1 operating system when few PC's were networked, and mostly Unix and VAX machines were connected to the Internet. The engineers thought it was a good idea to allow WMF to register callback functions (http://www.eweek.com/article2/0,1895,1906676,00.asp) that would get executed under certain circumstances. Fast forward to 2005 when Windows 2000/XP is marketed as an Internet ready OS, but still supports this legacy feature of WMF files being able to execute arbitrary code. No one thought it important enough to harden all the multitude of file formats accumulated over the years. But guess what? The cracker community has been actively probing Windows for flaws and discovered this early 1990's feature can be used for their nafarious purposes. Instead of Microsoft auditing the billions of lines of code, they're actually relying on the criminal cracker community to do the grunt work for them, and then discoverying the exploits after they go wild through a system known as the Strider HoneyMonkey project (http://research.microsoft.com/HoneyMonkey/). It's more cost effective to them, however the consumer bears the brunt of the risk as exploits need to be in the wild, doing untold damage to users, in order to be discovered and later dealt with.

rblitz7
12-31-2005, 03:18 PM
Good thing im on a mac.:D

ajchung
12-31-2005, 03:22 PM
So how hard is it to set up a dual boot with Linux if you've got a free, unformatted partition ready for it? I've had Windows running for a little over a month, but I intentionally left a partition clear for Linux. But I read that you need to have the dual boot loader set up from the beginning, is that true?

No. You can replace the boot loader at any time. Many modern Linux distros can even resize an NTFS partition so in some cases you can install Linux even though there is just a single Windows partition on the drive. Linux installation has advanced a great deal over the years, however graphics card autodetection and autoconfiguration still leave much to be desired.


No kidding, Norton sucks big time.

Norton can also be as tough to remove as that Sony BMG rootkit.

ThirdEye
12-31-2005, 03:29 PM
Norton can also be as tough to remove as that Sony BMG rootkit.

Norton is a virus.

ajchung
12-31-2005, 03:36 PM
Using Linux is a better way around this security nightmare.

By doing all your web surfing in Linux you will be completely safe and immune from this current '.wmf' exploit.


I am a strong advocate of Linux, however those who claim that a dual boot system would be immune to Windows exploits are committing the big mistake that security is a property of the products one uses. Nothing can be further from the truth, and anyone reading the writings of Bruce Schneier (http://www.schneier.com/) would know that security is a process. If the user adopts the practice of using Linux to download archives that could contain malware infected WMF files, but then boots into Windows to dearchive and browse the contents, he is no more secure than before, because he has adopted a process that is inherently insecure. It has nothing to do with the products that he's using, but rather, they practices that one adopts when using products, all of which will have design flaws. Be aware of the risks and vulnerabilities of the tools you use, then adapt your working process to use them in a secure manner that minimises your risk.

Maneswar
12-31-2005, 03:53 PM
I am a strong advocate of Linux, however those who claim that a dual boot system would be immune to Windows exploits are committing the big mistake that security is a property of the products one uses. Nothing can be further from the truth, and anyone reading the writings of Bruce Schneier (http://www.schneier.com/) would know that security is a process. If the user adopts the practice of using Linux to download archives that could contain malware infected WMF files, but then boots into Windows to dearchive and browse the contents, he is no more secure than before, because he has adopted a process that is inherently insecure. It has nothing to do with the products that he's using, but rather, they practices that one adopts when using products, all of which will have design flaws. Be aware of the risks and vulnerabilities of the tools you use, then adapt your working process to use them in a secure manner that minimises your risk.

And that is exactly what Hazdaz was pointing out 3 pages ago.

Maneswar

Beamtracer
12-31-2005, 04:21 PM
So how hard is it to set up a dual boot with Linux if you've got a free, unformatted partition ready for it? I've had Windows running for a little over a month, but I intentionally left a partition clear for Linux.
Give Linux a go, Chris. Especially if you have a clear partition. I'm no Linux expert... others here can give you more in depth advise, but I've downloaded and installed it and it is wonderful. You can surf the net using your existing PC and be completely immune from this latest '.wmf' exploit.

My suggestion is Ubuntu (http://www.ubuntulinux.org/) for its ease of use, but there are many other 'flavors (http://en.wikipedia.org/wiki/List_of_Linux_distributions)' of Linux.

x86 users can run Linux and Windows on the same partition, but it's easier and safer just to give Linux its own partition. PowerPC (Macintosh) users must use separate partitions for Mac OS X and Linux.

You download the disk images from the Linux distributor, burn them to CDs, then install them onto your spare partition.

I am a strong advocate of Linux, however those who claim that a dual boot system would be immune to Windows exploits are committing the big mistake that security is a property of the products one uses.
We're talking about a way PC users can do normal web surfing without having to worry about getting infected by the '.wmf' exploit. Linux is immune to this exploit. Now if someone downloaded an infected WMF file, then copied it over to their Windows partition and then launched that file in Windows they could get infected, as you say. But that would take a lot of user input to achieve, and everyone now knows not to play with WMF files.

Mac OS X is also immune from the exploit, but if you deliberately copied a '.wmf' file from a Mac to a Windows PC it might get infected. But nobody in their right mind is going to do that! :argh:

While surfing the web with Linux you are immune from this exploit. I think that's what people want.

mummey
12-31-2005, 04:31 PM
There aren't as many reasons to dual-boot anymore. Hardware has gotten cheap enough that having two machines isn't the luxury it once was. (After all, how many of us have one PC and one Mac, or one desktop and one laptop.)

Dual-booting is still the hassle it always has been, and it doesn't look to change anytime soon. In my opinion, its better to just buy a cheap dell and throw Linux on it, than mess with the problems that dual-booting can create.

JMcWilliams
12-31-2005, 04:39 PM
It can be a pain to dual boot, but I have the net connection on both.

I have my "music composing" boot which is clean except for my sequencing and synth software (gigastudio is a bit flakey) and then I have my "naughty" boot, where I can play games and do whatever I want without worrying about messing up the other software by installing a new driver or whatever nonsense reasons can cause gigastudio to stop working :argh:

I have multiple computers, but I found that to be more painful to use than dual boot, even with my KVM switch. Each to their own I guess. :D

Kai01W
12-31-2005, 05:33 PM
You do not necessarily need a free partition to install linux. Most installers (at least SuSE does) can shrink your windows partition to the size you specify making space for linux.
Really if its just about websurfing, its no problem anymore to get a dual boot system (I'd rather wait half a minute to reboot than pay for another machine). Most installers are really easy to handle.

In any case on windows you could still surf in a virtual system... never did it myself but it should make you safe.

-k

chrisWhite
12-31-2005, 05:59 PM
I'm downloading Kubuntu now :bounce:

So it looks like I can just point the installer at the free, unformatted partition and it will handle the wrest? Do I need to install a dual boot loader first or is that done automatically?

Neil
12-31-2005, 06:30 PM
AVG is another free, good anti-virus software.

Beamtracer
12-31-2005, 11:22 PM
I'm downloading Kubuntu now :bounce:

So it looks like I can just point the installer at the free, unformatted partition and it will handle the wrest? Do I need to install a dual boot loader first or is that done automatically?
The Ubuntu Linux installer should do it automatically. Just be careful not to select the install option to 'erase disk', as you don't want to erase the entire disk (only the free partition).

Once again, I'm no Linux guru, but it works for me. I'll point you to the Ubunu Linux official installation guide which answers many questions about installing Linux:
https://wiki.ubuntu.com/Installation

Also check out the Ubuntu FAQ (http://help.ubuntu.com/starterguide/C/faqguide-all.html), Wiki (https://wiki.ubuntu.com/), and forums (http://ubuntuforums.org/)

thatoneguy
01-01-2006, 01:05 AM
I repeat my earlier question. Everyone here is freaking out, but does anybody even know anybody who knows somebody who has gotten infected yet?

As I see it, I can spend a crapload of time dealing with all of Linux's idiosyncracies, or I can take my chances with a basic firewall. Even if I did get infected, the removal process would be shorter and easier than dual booting.

Linux is free if you don't value your time.

Norton is a virus, I still can't get rid of some of it's registries.

kabojnk
01-01-2006, 01:10 AM
I have yet to be infected. I'm not worrying, either. I have AVG and common sense. That and I run Linux on most of my machines. I doubt it's much of a big deal. :rolleyes:

By the way, this is what Microsoft has to say:


UPDATE:
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1.
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

Martinos
01-01-2006, 12:14 PM
I came upon this thread yesterday and thought nothing of it.
I don't surf to obscure sites or click spam mail.
Right after i google and BAM there it is, my virus scanner caught it and tried to delete it but couldn't so it quarantined it.
After slapping myself in the face for not defending myself against this virus i was determined to counteract this virus.
I had Hitman pro installed and ran it after i rebooted in safe mode.
After that i did a microsoft online virus scan and trend house online virus scan.
I hope that did the trick, havent had any problems.... yet..

keeping fingers crossed.
Any way to know if its really gone?

Beamtracer
01-01-2006, 12:42 PM
Martinos, I'm sorry to hear that you have been done by this exploit.

Any way to know if its really gone?
You know when you've got rid of it when you erase everything on your hard drive! :sad:

I don't mean to be sarcastic, but this exploit provides a means for someone with malicious intent to install whatever they want on your computer. It could be adware, or a virus, or spyware, or a rootkit that operates in stealth mode. It could be anything.

Chewey
01-01-2006, 02:51 PM
I came upon this thread yesterday and thought nothing of it.
I don't surf to obscure sites or click spam mail.
Right after i google and BAM there it is, my virus scanner caught it and tried to delete it but couldn't so it quarantined it.
After slapping myself in the face for not defending myself against this virus i was determined to counteract this virus.
I had Hitman pro installed and ran it after i rebooted in safe mode.
After that i did a microsoft online virus scan and trend house online virus scan.
I hope that did the trick, havent had any problems.... yet..

keeping fingers crossed.
Any way to know if its really gone?

Having had to deal with my college aged daughter's computer infections on a regular basis,
I've found that using "Hijackthis" is pretty helpful in determining if some remnant of malware is still present on the machine.

Here's a link that should give you one method of removing a dll that couldn't be removed using a number of the most well known Spyware removal applications. I had the ddabx.dll
file and was able to get rid of it using the instructions provided in this link.

http://www.bleepingcomputer.com/forums/topic18610.html (http://http://www.bleepingcomputer.com/forums/topic18610.html)

bluemagicuk
01-01-2006, 04:37 PM
I got this last week and every time i restarted it came up with netsh.exe in a command prompt and zonealarm was going mental blocking various apps . I just formatted in the end after trying various fixes.

Martinos
01-01-2006, 05:55 PM
If microsoft isnt releasing a patch soon, im gonna format i guess..
Better safe then sorry..
Just need to sort out 150gb of stuff on my hd :(

JeroenDStout
01-01-2006, 07:32 PM
I came upon this thread yesterday and thought nothing of it.
I don't surf to obscure sites or click spam mail.
Right after i google {...}
It's the imfamous "Don't look back!" curse!..

Tell people there is a dangerous image based virus on the internet and they Google it.
You just have to love that :)

PhilOsirus
01-01-2006, 08:14 PM
I have yet to be infected. I'm not worrying, either. I have AVG and common sense. That and I run Linux on most of my machines. I doubt it's much of a big deal. :rolleyes:

By the way, this is what Microsoft has to say:

I did that and as I understands it you can no longer view thumbnails on your computer. At least here this is what it did, which really sucks.:/

Kai01W
01-01-2006, 08:40 PM
I repeat my earlier question. Everyone here is freaking out, but does anybody even know anybody who knows somebody who has gotten infected yet?
[/Offtopic]
What does it matter? There are several news reports stating this security issue is there, there are enough reports from various sources that state that the number of harmful webpages exploded over the last days, today I read there is a new years greeting card floating around which uses this hole, its named a .jpg but in reality is an infected wmf, etc. etc. What does it matter if you know somebody personally who has been infected?


As I see it, I can spend a crapload of time dealing with all of Linux's idiosyncracies, or I can take my chances with a basic firewall. Even if I did get infected, the removal process would be shorter and easier than dual booting.

Linux is free if you don't value your time.


On the one hand you say you don't mind the risk of get the virus cause removing it would not take much time(how do you know this, ever had such a thing? The people I know that had viruses usually lost lots of time removing it) on the other hand you say your time is too valuable to try out linux or dual boot.
Nobody said you should switch your whole workflow to linux (which indeed is quite a hassle). If you need it just for websurfing there is nothing to learn. Most installers will do everything for you unless you have some more special hardware, all you have to do is click on the firefox icon once it has booted.

-k

JDex
01-01-2006, 09:10 PM
Lemme just say one more thing to the Windows users (who want/need to stay with it) worried about this sort of thing... Prepare your computer for disaster now, and should something happen, you won't be freaking out.

Reformat your system drive, and reinstall everything... don't hook to the web yet.

Get all your settings the way you want them in the apps and OS.

Hook up to the web, from behind a good hardware (not software) firewall. Then do windows update and virii/adware definitions updates (nothing else with the web yet).

Disconnect from the web... run Ghost on your system drive.

Now surf porn, or whatever floats your boat.

When disaster strikes... let Ghost flatten the infection by giving you back your computer in about an hour. It's alot less hassle then bitching and moaning about how you life was ruined because an inept coder didn't plug all the holes.

SheepFactory
01-01-2006, 09:39 PM
I did that and as I understands it you can no longer view thumbnails on your computer. At least here this is what it did, which really sucks.:/

Install XNview , a free and awesome image browser and you can display thumbnails with its browser.

Kai01W
01-01-2006, 10:01 PM
Install XNview , a free and awesome image browser and you can display thumbnails with its browser.

Well, xnview might look for and then reregister the problematic .dll and then you sort of did it for nothing.
Not sure though, maybe it uses its own mechanism...
Its a great tool though.

And apparently also in this case it really helps ALOT if you're not working/surfing as a user with admin-rights...

-k

SheepFactory
01-01-2006, 10:10 PM
I dont think it uses the windows fax and pic viewer for its thumbnails. I disabled that already.

NeptuneImaging
01-01-2006, 10:19 PM
Thank god, I keep a tight lid on what is done on my home computer. I am getting another one custom built so that i can use XSI on Linux. Since most of my relatives are not computer literate, I have to tell what to be careful of.

After I heard about this problem a little bit ago (from here of course), I started dumping RTF, DOC, PDF onto my external HD because I have novels that I would lose forever. And plus I don't allow anyone at home to use crap software and I am mostly on XSIBase, IGN, and CGTalk anyway, so I keep my pc clean as possible.

I just downloaded Ubuntu Linux and burned it to a CD for future intent. I also hope my 3D apps will work on it. And plus I will keep a restricted partition for windows.

HA!

Beamtracer
01-02-2006, 06:05 AM
I just downloaded Ubuntu Linux and burned it to a CD for future intent. I also hope my 3D apps will work on it.
Ubuntu (http://en.wikipedia.org/wiki/Ubuntu_Linux) is a great version of Linux for those wanting to do web surfing to avoid the '.wmf' exploit. But if you want something to run your 3D software, it's best to check which distribution (http://en.wikipedia.org/wiki/Linux_distribution) of Linux the 3D app vendor recommends.

If microsoft isnt releasing a patch soon, im gonna format i guess..
Better safe then sorry..
My understanding of this "virus" is that it creates a hole in Windows security, like leaving the front door open so anyone can walk in and put other malware inside your computer. When Microsoft finally gets around to patching it, it will be like they close the front door so more malware can't get in. However, I doubt a patch will get rid of the malware that has already entered your computer.

I don't know why Microsoft doesn't release a patch that stops the OS from reading '.wmf' files, or .wmf files posing as other files. The patch could also stop executable code and 'callback' functions running from .wmf files. I guess it's harder to create such a patch than it seems.

JeroenDStout
01-02-2006, 07:05 AM
If their code is like mine they just have to change one boolean but forgot to document everything and have to search through a thousand files to find out which boolean.

EDIT: Employers, this was a joke. ;)

amannin
01-02-2006, 08:52 AM
Anyone mind elaborating on the whole BASH Norton brigade we have going on here? are you guys refering to its anitvirus only, or the firewall as well? --- what's the problem(s)?

I'll Google it once some valid, not biased, issues are brought up...

otherwise, I haven't had any problems related to it (that I know of).

ajchung
01-02-2006, 09:58 AM
My understanding of this "virus" is that it creates a hole in Windows security, like leaving the front door open so anyone can walk in and put other malware inside your computer.

The correct term is exploit or vulnerability. Calling the WMF callback vulnerability a virus just adds to the confusion already prevalent in this thread. Users are mistaken in believing that a virus scan and a firewall will prevent against future attacks that exploit this particular design flaw. Any exploit can be embedded in a variety of attack vectors: email worms, malware websites, and chat messages for instance. In general, a virus scan or firewall can only be updated or configured to protect against specific attack vectors, and not the entire class of malware devised through cracker ingenuity to use a given vulnerability -- unless it broadly blocks legitimate files. For instance you can filter out all image files to avoid WMF content, but then you might as well stop surfing the Net.

F-Secure is currently tracking the active development of new attack vectors (http://www.f-secure.com/weblog/archives/archive-012006.html#00000761) exploiting the WMF vulnerability by the malware community. There is a "Happy New Year" email that contains a WMF image as an attachment. A day before a new worm emerged (http://www.f-secure.com/weblog/archives/archive-122005.html#00000757) also in WMF form that spreads via instant messages on the MSN messenger network. Just yesterday a WMF metaploit framework (http://www.f-secure.com/v-descs/pfv-metasploit.shtml) was released on cracker sites that will allow any script kiddie to generate WMF exploiting attacks in a highly variable format -- random file lengths, polymorphic shell code, randomised WMF records, etc. Internet Storm Center reports (http://isc.sans.org/diary.php?rss&storyid=996) that "This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures." So expect a lot more WMF attacks to start appearing on the Net.

To add even more confusion for the poor PC user, it seems that disabling shimgvw.dll does not protect against all WMF exploits. There are reports (http://www.viruslist.com/en/weblog?discuss=176892530&return=1) of a WMF worm infecting PC that had this DLL unregistered, by using the gdi32.dll library instead.


I don't know why Microsoft doesn't release a patch that stops the OS from reading '.wmf' files, or .wmf files posing as other files. The patch could also stop executable code and 'callback' functions running from .wmf files. I guess it's harder to create such a patch than it seems.

WMF is legacy code. It is difficult to change it without breaking a whole lot of features built on top of it. However, there is an unofficial patch (http://www.hexblog.com/2005/12/wmf_vuln.html) that IT security specialists have tentatively been endorsing (http://isc.sans.org/diary.php?rss&storyid=996) while we wait for Microsoft's official patch. This fix will remove the callback feature while leaving thumbnail and Explorer image browsing intact, however it is likely to break a few things since it disables a call in gdi32.dll itself.

Another worry is that, so far, only one callback (SetAbortProc subfunction of Escape()) has been exploited so far, and has gone undetected since Windows 3.0 released in 1990. The fear is that there will be others buried deep in the GDI code.

Beamtracer
01-02-2006, 11:06 AM
Great post, Adrian.
The correct term is exploit or vulnerability.Yes, the word virus was not accurate, hence it was in quotations. But you're right. I'll refer to it as an exploit in future.
you can filter out all image files to avoid WMF content, but then you might as well stop surfing the Net.Pity there is no way to filter out .wmf files without also blocking all other image types.
So expect a lot more WMF attacks to start appearing on the Net.Computer viruses used to be mostly relatively benign. I read that the malware floating around these days is getting more destructive and malicious. Sad, really.

-Vormav-
01-02-2006, 09:34 PM
As much as I want to partake in the mass panic, I'm not yet convinced that the world is coming to an end.
Seems like you could very easily selectively filter out .wmf files entirely with something like Proximitron anyway. :shrug:

pgp_protector
01-02-2006, 09:40 PM
As much as I want to partake in the mass panic, I'm not yet convinced that the world is coming to an end.
Seems like you could very easily selectively filter out .wmf files entirely with something like Proximitron anyway. :shrug:

But the bug also works on WMF files renamed to JPG, GIF, PNG, so filtering for WMFs only would not work.

NeOmega
01-02-2006, 10:45 PM
Anyone mind elaborating on the whole BASH Norton brigade we have going on here? are you guys refering to its anitvirus only, or the firewall as well? --- what's the problem(s)?


off topic--->

I worked for over a year in customer support, and only with Norton did I run into these two severe issues:

1) Norton, if improperly uninstalled, can cause a break in the SSL. least severe fix for it is a system file checker.

2) Worse, sometimes, an improper uninstall of Norton will cause a break in the HAL.dll. That requires at least a repair install of windows.

Not only that, but Norton always leaves junk all over the place when uninstalled, moreso than most other AV's. When people say Norton is bad, they are not kidding. Norton was our competition, as was 100 other av/antispyware apps, but Norton by far was the most annoying to deal with. To me a program should uninstall much cleaner to rise above malware status, Norton does not clean up good enough IMO (of course, I could not tell customers this).


But the bug also works on WMF files renamed to JPG, GIF, PNG, so filtering for WMFs only would not work.

http://www.dslreports.com/forum/remark,15115819

This forum is where the best of security is discussed, and the member there, KyeU, has been releasing a lot of helpful information, as well as proxomitron filters that filter on more than just file extansion name.

Also, formatting is a bit overkill I think, everything I am seeing installed with this exploit appears to be anitspyware adware in the vein of smitfraud, smartsecurity, winfixer, spysherrif, unspy etc.... basically a desktop hijacker warning your compter is infected, and where you need to go to fix it.

-Vormav-
01-03-2006, 12:59 AM
http://www.dslreports.com/forum/remark,15150544

The filters he mentions there are exactly what I was talking about (and it does more than just check if a file has a .wmf extension - it detects some exploits for cases where files have been renamed .jpg and whatnot as well). Proximitron is great...

nvvm
01-03-2006, 06:34 AM
And then by linking them together, you have just exposed the workstation to all the ills of the evil interwebnets. Thus completely and utterly negating the point of having a seperate and osolated PC.


I use my trusty dusty zip 250, if that doesnt have enough space I burn a dvd full of app updates and etc. I got a cheap pc for walmart as my "web" pc. I know I know, I could have built a better one for cheaper but any thing I build I "care" for as it's the fruits of my labor. I'd say it's annoying still cause you still come up with downloads that are useful and stuff that you don't want or need on your workstation and would be a hassle to recover if lost.

ajchung
01-03-2006, 11:16 AM
Microsoft has updated their original security advisory (http://www.microsoft.com/technet/security/advisory/912840.mspx). The patch to fix the WMF vulnerability is being tested and will be released on Jan 10th. In the meantime, security specialist Steve Gibson recommends (http://www.grc.com/sn/notes-020.htm) that Windows XP/2000 users install Ilfak Guilfanov's fix (http://www.hexblog.com/2005/12/wmf_vuln.html), but remember to uninstall it prior to applying Microsoft's official patch when it is released next Tuesday. Windows ME, 98SE, 95 and before are less vulnerable since there is less automated handling of image files in those systems, however third party applications that handle image content may still be targetted (e.g. MSPaint).

A correction to my earlier post -- apparently the WMF exploit does rely on a buffer overflow in addition to an obsolete function within GDI32 that performs insufficient checking on input data. This note (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/sec_gdi.asp) on MSDN is most revealing:
GDI generally has few security concerns because it deals with display rather than input. However, here are a few issues that you should consider.

Bitmaps, metafiles, and fonts are complex structures that could become corrupted. It is good practice to try to ensure that these items are uncorrupted and from a trustworthy source.

Microsoft thinks it is the responsibility of application level software rather than the OS for checking data for security problems.

DB3D
01-03-2006, 03:50 PM
this suuuucks. I started gettting wierd crap happening this weekend on my computer and this must be it. I got some serious spyware all of a sudden. I keep trying to use things like adaware but it just won't take it off. I guess I might have to format my drive.

strangelife
01-03-2006, 09:14 PM
this suuuucks. I started gettting wierd crap happening this weekend on my computer and this must be it. I got some serious spyware all of a sudden. I keep trying to use things like adaware but it just won't take it off. I guess I might have to format my drive.

Get in my boat tracer. I unsuccessfully helped a friend this weekend with some sucky , leechy, adware crap that refused to leave after multiple spybot, ewido, adaware checks. Damn hacker quacks. They slimed us.

RobertoOrtiz
01-04-2006, 02:16 AM
Microsoft Prepares Patch for Windows Flaw Quote

"Microsoft said Tuesday it has created a patch for the flaw in its Windows operating system but needs to test it first. The software giant said it hopes to release the patch as part of its regular monthly security updates next Tuesday.
"

>>LINK<< (http://news.yahoo.com/s/ap/20060103/ap_on_hi_te/microsoft_security;_ylt=AtZXZTt.9K6B8n5oEATQ9u2s0NUE;_ylu=X3oDMTA3cjE0b2MwBHNlYwM3Mzg)

-R

halloween
01-05-2006, 10:06 PM
MS patch is out. :)

Security Update for Windows XP (KB912919) (http://www.microsoft.com/downloads/details.aspx?FamilyID=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en)

Security Update for Windows Server x64 Edition (KB912919) (http://www.microsoft.com/downloads/details.aspx?FamilyID=a8f4dcba-5d28-4d9d-a6a4-3b71108cfe2d&DisplayLang=en)

Security Update for Windows XP x64 Edition (KB912919) (http://www.microsoft.com/downloads/details.aspx?FamilyID=3a1166e6-5e9e-4e73-bcd4-28eca6ece877&DisplayLang=en)

Security Update for Windows Server 2003 (KB912919) (http://www.microsoft.com/downloads/details.aspx?FamilyID=1584aae0-51ce-47d6-9a03-db5b9077f1f2&DisplayLang=en)

Security Update for Windows 2000 (KB912919) (http://www.microsoft.com/downloads/details.aspx?FamilyID=aa9e27bd-cb9a-4ef1-92a3-00ffe7b2ac74&DisplayLang=en)

Saurus
01-06-2006, 05:33 PM
Rant on this page died quickly...:curious:

chrisWhite
01-06-2006, 07:32 PM
I installed it, I assume people are saying it does the job?

Beamtracer
01-06-2006, 11:00 PM
I told a friend it is better to use the Firefox (http://www.mozilla.com/firefox/) web browser, as it is a little bit more secure than Internet Explorer in situations like this. In this situation, Firefox blocks pop-up windows that could contain infected images.

In other security scenarios, Firefox has done better because in its default setting it is immune to the ActiveX exploits that plague Internet Explorer.

So he downloaded Firefox and has been using it as his browser for some time. I said he should now download the patch for the '.wmf' exploit that Microsoft has posted.

So he goes to the MS website, only to find that Microsoft's website is configured to detect what browser you are using, and if Microsoft detects you are using Firefox, they will not give you that patch. Microsoft's website presents this message:

http://img248.imageshack.us/img248/5271/exploiter5hs.gif

I think this really stinks!

It's also ironic, given that Internet Explorer is responsible for a fair proportion of the adware/spyware/malware exploits over recent times.

Klowno
01-06-2006, 11:12 PM
Worked fine for me to dl it with firefox

-Vormav-
01-06-2006, 11:16 PM
Worked fine for me in Opera as well. :shrug:

thatoneguy
01-06-2006, 11:18 PM
Anyone mind elaborating on the whole BASH Norton brigade we have going on here? are you guys refering to its anitvirus only, or the firewall as well? --- what's the problem(s)?

I'll Google it once some valid, not biased, issues are brought up...

otherwise, I haven't had any problems related to it (that I know of).

How norton is a virus:

It causes programs other than itself to become less stable.

It slows down my internet.

It slows down my computer.

It creates pop-ups prompts every 5 minutes.

It takes up vast amounts of system memory.

When you try to uninstall it, it leaves crap all over your computer, most of which is impossible to find and delete. When you uninstall it, it breaks common applications, such as Microsoft Office.

And much much much more.

Beamtracer
01-06-2006, 11:28 PM
Worked fine for me to dl it with firefox
Thanks for that info. I see what is happening now.

If you go via Microsoft's main page and follow the links to the patch, it will block Firefox and Opera users.

If you follow the direct links that were posted here (previous page) then you can get through to the download.

Example: If you go via Microsoft's Security page and click on "1, Install the update" it will block anyone using Firefox or Opera.
http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx

But now we have a direct link (previous page) we can bypass the browser checking blocks that are in place.

I would hate to think they were taking advantage of the '.wmf' flaw to push their other products (Internet Explorer).

-Vormav-
01-06-2006, 11:29 PM
How norton is a virus:

It causes programs other than itself to become less stable.

It slows down my internet.

It slows down my computer.

It creates pop-ups prompts every 5 minutes.

It takes up vast amounts of system memory.

When you try to uninstall it, it leaves crap all over your computer, most of which is impossible to find and delete. When you uninstall it, it breaks common applications, such as Microsoft Office.

And much much much more.
Better than their firewall at least...where their "disable firewall" option is really a "make the user think the firewall is disabled" option. Five minutes with Norton's firewall is all it takes to make me go insane.

nitindesign
01-06-2006, 11:40 PM
When I use MS updater I get the following option-

"Windows Genuine Advantage Validation Tool (KB892130)
443 KB , less than 1 minute
The Windows Genuine Advantage Validation Tool enables you to verify that your copy of Microsoft Windows is genuine. The tool validates your Windows installation by checking Windows Product Identification and Product Activation status. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.


Total: 443 KB , less than 1 minute"

Everything is legal on my PC but for some reason I don't like the sound of that message. Is it that I need to install that and only then it will show me the other updates OR is that the only update currently available for my machine? CONFUSED

-Vormav-
01-06-2006, 11:44 PM
You only get access to the updates after you run that validation tool (don't worry, it's small and fast). Of course, if you do a quick google search, you can probably find other sites to download the patch from.

nitindesign
01-06-2006, 11:56 PM
You only get access to the updates after you run that validation tool (don't worry, it's small and fast). Of course, if you do a quick google search, you can probably find other sites to download the patch from.

Ok cool I will run the validation tool then :thumbsup:

PhilOsirus
01-07-2006, 12:14 AM
I got the patch but I wonder how to re-enable thumbnail view? It was disabled with some command prompt function to protect myself against the virus.

-Vormav-
01-07-2006, 12:17 AM
Phil - just type this in the run prompt:
regsvr32 %windir%\system32\shimgvw.dll

PhilOsirus
01-08-2006, 12:52 AM
Thanks, it worked!

CGTalk Moderation
01-08-2006, 12:52 AM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.