Foo - Windows users: New Patch for WMF exploit

~ Resolution ~ The official patch is available 5 days ahead of initial schedule! See instructions below.

1) IF you happen to be such a tech-head that you enabled a Software Restriction Policy, then either set it to not apply to local Administrators, or revert it to Unrestricted.

2) Uninstall the UNofficial patch if you used it. Then reboot.

3) Go to http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx, scroll down to Affected Software and Download Locations and expand it with the + sign. Click the link next to your version of Windows, and go get your patch :)

4) Reboot the computer after installing the patch.

5) After the reboot, if you had unregistered the Windows Picture & Fax Viewer, you can now re-register it with the command regsvr32 %windir%\system32\shimgvw.dll (paste this into Start > Run and click OK).


(no, there's no patch for Win98, WinME, or Win95 or Win3.11. They're past the end-of-life phase, folks :()






~ Update 5 ~ This exploit is now being used in Spam emails, Instant Messaging worms, banner advertisements (!) and thousands of malicious websites. An unofficial but reputable patch has been added to the Actions list below, and is said to work for Windows2000 and WindowsXP.

If your computer displays a maliciously-constructed .WMF image file (in an email, on a web page, etc), this exploit will run itself without you doing anything. So just visiting a website that's displaying one of these pictures is enough to get infected. There are tons of other ways this could be used to infect you, so take precautions or you may end up face-down in a huge pile of nightmare spyware/adware/viruses/Trojans.




Actions

If you have WindowsXP or Windows2000, download and run this unofficial patch: get the patch from here (http://www.hexblog.com/2005/12/wmf_vuln.html). Once the vulnerability has been patched "officially" by Microsoft, you can uninstall this unofficial patch using the Add/Remove Programs in Control Panel, it'll be listed. Disclaimer: I haven't tested this on a Windows2000 computer but the Internet Storm Center says it's ok (http://isc.sans.org/diary.php?date=2006-01-01). This patch is endorsed by F-Secure (antivirus company), the Internet Storm Centre, and by Sunbelt (antispam/antispyware/firewall vendor) as the best single blanket defense.

If you have WindowsXP, also click Start > Run, paste this into the box and click OK:
regsvr32 -u %windir%\system32\shimgvw.dll
This "switches off" the most vulnerable piece of WindowsXP for the moment. Once the vulnerability has been patched, you can switch it back on with this command (same one except no -u in it):
regsvr32 %windir%\system32\shimgvw.dll

If you have WindowsXP with Service Pack 2, enable Data Execution Prevention completely Right-click My Computer on your desktop screen or Start menu, and choose Properties. Then do like shown in the picture below. This will only help if your computer's CPU has "hardware DEP" support. If you're curious whether your CPU has hardware DEP capabilities, feel free to ask in the thread :)

http://www.mechbgon.com/build/DEP.gif


Update your antivirus software's signatures Checking for updates a couple times a day would not be overkill.

If your antivirus software is old-version stuff, get a current-generation version of it. If your antivirus software is a version more than a year old, it's time to move on.

If you have no antivirus software, consider using a basic free one, or install a trial version of a big-name one.
I recommend Kaspersky Antivirus Personal 5 if you want to buy one. 30-day trial version (http://www.kaspersky.com/trials). Video clip showing how to configure it for maximum protection: right-click this link and Save Target (http://www.omnicast.net/~tmcfadden/movies/kaspersky_config.wmv)


You can also get trial versions of McAfee's home-user stuff from this page (http://download.mcafee.com/us/eval/evaluate2.asp) and Symantec/Norton's from this page (http://www.symantec.com/purchase/purchase_global_trialware.html).


The free version of AntiVir is generally regarded as the best freebie antivirus for Windows (from a detection standpoint): http://www.free-av.com You must run the updates manually, and it downloads the whole virus database every time, so it's a bit unwieldy for dial-up users.


Don't use more than one antivirus software at a time, because they can clash.

Visit the Windows Update web site (http://update.microsoft.com) every few days to get a patch for the vulnerability when it's ready I'd guess Microsoft will take swift action on this vulnerability and have a patch ready in a few days.

Enabling the Automatic Updates feature on WindowsXP or Windows2000 would be another way to get the patch as quickly as practical.

http://mechbgon.com/build/AutoUpdates.gif
Look for the Automatic Updates feature in Control Panel

If you have Microsoft Office2000 or later, check your system at the Office Update site (http://office.microsoft.com/en-us/officeupdate/default.aspx) as well. You may need to go back for several rounds of updates if you're way out-of-date.

If you have Google Desktop installed, check for updates for it frequently and consider disabling it for now, since it has already been documented by F-Secure (http://www.f-secure.com/weblog/archives/archive-122005.html#00000753) that Google Desktop will auto-infect systems when a malicious .WMF file arrives. This is why I'm thinking these could easily spread via P2P networks, since the arrival of the file would trigger exploitation on systems with Google Desktop installed.



Hope that helps someone :)

Microsoft's preliminary bulletin (http://www.microsoft.com/technet/security/advisory/912840.mspx), for those who are interested.

Don't forget ClamWin, which is open source and free.
http://www.clamwin.com/

Don't forget ClamWin, which is open source and free.
http://www.clamwin.com/Good one :) and here's another that's free for home use (although not open-source): Avast (http://www.majorgeeks.com/download1968.html) This one has automatic updates and doesn't take a long time to update, although its tested detection rates tend to be a little lower. How's the update speed on Clam, are the updates pretty small?

More security resources and stuff here... firewalls, spyware removal/prevention, etc: Consolidated Security Thread (http://forums.anandtech.com/messageview.aspx?catid=33&threadid=1658987&enterthread=y)

"Windows users: just use Linux" seems like a better thread title.

"Windows users: just use Linux" seems like a better thread title.Do you want me to alert everyone to the new Linux worm in this thread, or shall I start another? :)

:D

Woah lol. I dont know if this is the same thing, but since I was downloading a ton of songs the last few

days on my shareware and then all of a sudden 43 internet explorers popped up at the same time. I was

like shoot. Then i restarted my comp and all the songs were gone :mad:! I did the full destructive system

recovery for my comp and the next day i open ares click on a paused song that was there when i

reinstalled Ares and now 53 IE's popped up. And if I click |X|, more pop up :( .

I've got to say, since switching to Fedora Core, not having to worry about a new critical update 1-2x a week is nice

Woah lol. I dont know if this is the same thing, but since I was downloading a ton of songs the last few

days on my shareware and then all of a sudden 43 internet explorers popped up at the same time. I was

like shoot. Then i restarted my comp and all the songs were gone ! I did the full destructive system

recovery for my comp and the next day i open ares click on a paused song that was there when i

reinstalled Ares and now 53 IE's popped up. And if I click |X|, more pop up .

Can I suggest that you try out that 30-day trial of Kaspersky and configure/update it like my lil' movie shows, then run a full scan? It's good stuff :) It uninstalls cleanly if you decide not to purchase after the 30 days.

i have Nortan antivirus is that ok. But I havent fully installed it.

avast is pretty good at catching the exploit. mcafee catches half, but let's an smtp server install. the port blocking however stops traffic, but it's lame that there's still exe's running.

i'm gonna try that clamwin ... see what that catches.

when do i found out if this clam crap caught anything?

Funny, one of those fiiles just appeared on my desktop on my mac... great to use mac!

EJ: I'd recommend using a different browser, and some anti-spyware programs. I use Opera (http://opera.com/), but Firefox (http://www.mozilla.com/firefox/) is very good too. For anti-spyware, I recommend Microsoft AntiSpyware (http://www.majorgeeks.com/Microsoft_Windows_AntiSpyware_d4466.html).

And, if you don't have them, Ad-Aware (http://www.lavasoftusa.com/support/download/) and Spybot (http://www.safer-networking.org/en/download/) are good to run every couple weeks, to check for problems. But if you use programs that are full of spyware, you'll have to uninstall those before you can remove the stuff with any tool...

Some of these viruses worry me more than a little, but I don't trust antivirus programs much... Norton seems to be good as far as keeping stuff off (not removing it, mind you), but the 2006 version is so bloated it's ********. Not to mention if the install corrupts (which... is gonna happen... a lot...), it's a lot more of a pain in the rear to remove and reinstall than the previous versions were. I thought 2005 was the worst piece of software they ever labeled as an antivirus program until they released 2006.

I'll stick to my DOS-based McAfee scan with the latest free definitions, but only to be used after the fact :p
Of course, that's a bad policy, that's what backups are for.

i have Nortan antivirus is that ok. But I havent fully installed it.Based on what you said about 50 browser windows opening, it seems rather likely that your protection isn't working. You might want to try uninstalling Norton, installing the Kaspersky trialware, configuring it, updating it, and running a full system scan.

*keeps trying to herd the cats*

Thanks for all of the mechBogn! Just updated anti-virus, i'll check for some windows updates now while i'm at it!
http://forum.ski.com.au/ultimate/graemlins/beer.gif

Pathetic Microsoft, just been to those update sites. Hopeless, shakes my head with shame at them once more. Yes I hate microsoft and thats why i dont use or try not to use any of their software, but what bugs me...you need to USE internet explorer to visit the site and DOWNLOAD the updates. Sorry no better browsers allowed, pathetic they are, there only way of getting people to actually use the sh5t house program.

Unless of course there is a good explination ;)

Pathetic Microsoft, just been to those update sites. Hopeless, shakes my head with shame at them once more. Yes I hate microsoft and thats why i dont use or try not to use any of their software, but what bugs me...you need to USE internet explorer to visit the site and DOWNLOAD the updates. Sorry no better browsers allowed, pathetic they are, there only way of getting people to actually use the sh5t house program.

Unless of course there is a good explination ;)The Windows Update site uses ActiveX to figure out what you need, and Internet Explorer is the browser with ActiveX capabilities. Buuuuut... if you simply enable Automatic Updates in Control Panel, then you don't even need to visit their site at all, the computer will just check daily to see if it's got everything or not. That any help? :)

http://mechbgon.com/build/AutoUpdates.gif


Microsoft now has a preliminary bulletin up regarding this exploit. They said that the exploit only gains the privilege level of the user. That's welcome news.

Oh I see! Thats good to know i didn't know about that Update thing in control panel well I've seen it but never used it. Then again, I havn't updated in a looooong time so its going to take a while to get it all installed and up to date, I still hope it all works since its toture downloading these on dialup :(.

I'm on dial-up too, it stinks! :( If you happen to have Windows XP with Service Pack 2 installed, then see the first post for another safeguard that you can switch on (Data Execution Prevention), the big picture shows it.

If you don't have Service Pack 2 yet, you can order it on a CD-ROM for the cost of shipping too: international ordering page (http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx)

Nope, no XP for me.

Great i've done and install of some major service pack and its asking me for the 2000 SR-1 cd...which I dont think I have :S. I have the second one.

Nope can't find it :(. I discovered an ancient qwindows 95 and windows 97 install but I can't locate the SR-1 disk for Office 2000! What a waste of downloading 11mb on dialup :(.

mechBgon...will ANY SR-1 disk do? If I got one off a friend or something it would still work with what is required to install these updates?

Nope can't find it :(. I discovered an ancient qwindows 95 and windows 97 install but I can't locate the SR-1 disk for Office 2000! What a waste of downloading 11mb on dialup :(.

mechBgon...will ANY SR-1 disk do? If I got one off a friend or something it would still work with what is required to install these updates?I think it would work as long as the disk is 1) the right Service Pack level, 2) the same type (Office2000 Pro/Small-Biz/whatever), and 3) it's the right sort (OEM versus Retail-boxed). As far as I know, Office2000 CDs aren't unique-ified to where it would pout and demand YOUR disc, I think it just wants to use the source files.


If your original disc is the no-Service-Packs version and you've just got Service Pack 1a downloaded, then brace for this: next up is Service Pack 3, and then about 9 more post-SP3 patches :eek:

*flees from hail of rotten tomatoes*

*start>programs>internet explorer...update site.......................................check for updates....30% complete......50%.......60%..............70%......90%....99%.........*

:o:o:o...hmm I am being asked to download service pack 3...then 6 more smaller updates (sercurity etc.). Pheff.

If I can't get access to the SR-1 disk, can I like contact Microsoft or someone to get one posted or what?

Yay I found the CD, plus i didn't have to download it again! Its now installing them in :).

Good to hear you survived that :)

I hope people don't underestimate the potential of this threat. This exploit has now been added to rotational banner advertisements, folks.

See this video clip by Sunbelt's security researchers if you want to see how easily you can get hit: http://www.sunbelt-software.com/ihs/alex/wmf_freecat122905.wmv Don't let this be you.

http://forums.anandtech.com/i/expressions/devil.gif~ heeeeed myyyyyyy warninggggggg

The original post is updated with another countermeasure.

Win98... I'm lovin' it :D

Win98... I'm lovin' it :DStacey, from Microsoft's preliminary info, it looks like Win98 and WinME are both affected, as well as Win2000 and WinXP. :(

http://www.mechbgon.com/misc/affected.gif

But you have up-to-date antivirus, right? Steady as she goes, Sulu :)

How possible is it for a virus to hit my "back up harddrive", which is D, if my regular C hp pavillion drive is messed up?

How possible is it for a virus to hit my "back up harddrive", which is D, if my regular C hp pavillion drive is messed up?It would be trivially easy. But it's also easy to check for infection, try that Kaspersky trialware I mentioned :) After installing it, do an update. It'll need a reboot afterwards. Then after the reboot, configure it as shown in my demo movie, and then launch a full scan and see what it finds (if anything).

Stacey, from Microsoft's preliminary info, it looks like Win98 and WinME are both affected, as well as Win2000 and WinXP. :(

http://www.mechbgon.com/misc/affected.gif

But you have up-to-date antivirus, right? Steady as she goes, Sulu :)
Dayum them bastids!

Yep... NAV on on machine, Avast on another to give us redundancy on the LAN. Plus each station has it's own Ad-Aware & SpyBot.

Dayum them bastids!

Yep... NAV on on machine, Avast on another to give us redundancy on the LAN. Plus each station has it's own Ad-Aware & SpyBot.Cool :) On NAV, you might want to

(1) check that the real-time protection has the Heuristics enabled and maxed out, and the scanning within compressed files enabled too,

and (2) if it's an older version of NAV (pre-2006) where it updates only once a week, then you may like this: Symnatec/Norton Intelligent Updater (http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html), which they update daily (or more often) so you can cut down on the window of opportunity :)

Cool :) On NAV, you might want to

(1) check that the real-time protection has the Heuristics enabled and maxed out, and the scanning within compressed files enabled too,

and (2) if it's an older version of NAV (pre-2006) where it updates only once a week, then you may like this: Symnatec/Norton Intelligent Updater (http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html), which they update daily (or more often) so you can cut down on the window of opportunity :)


We've got Norton '05, with Intelligent Updater in it. We had to turn it off and go to manual update because the computer would lock up due to lack of memory resources. Suggestions there?

We've got Norton '05, with Intelligent Updater in it. We had to turn it off and go to manual update because the computer would lock up due to lack of memory resources. Suggestions there?Sorry it took me so long to get to this. Does this page seem to describe the issue? http://symantec.atgnow.com/consumer/resultDisplay.do?gotoLink=220&docType=1000&contextId=8392%3A220.312&clusterName=ConsumerCluster&contentId=61bced0f-010d-492a-a554-2566ee4a6ee0&responseId=a7a613d67668be41%3A1b1fbf4%3A1087e71752e%3A-449b&groupId=1&answerGroup=1&score=637&page=http%3A%2F%2Fservice1.symantec.com%2Fsupport%2Fsharedtech.nsf%2Fpfdocs%2F2003052213333013&result=0&excerpt=When+you+run+LiveUpdate%2C+you+see+the+message+%26quot%3BLiveUpdate+could+not+get+enough+mem ory+to+run.&resultType=5000#

That page seems to be implying that the computer could actually be running out of virtual memory (disk space used in lieu of actual RAM). If your hard drive is chock-full, then I guess that would be plausible. Norton's stuff is known for having a pretty big "footprint" with lots of processes going. I suppose you already tried simply shutting down all non-essential stuff, so maybe try their suggestion of emptying the Temp folder? Also go to Control Panel > Internet Options and see what your Internet Exploder cache size is set for... I use a setting of 4MB so it doesn't get too out-of-hand :)

Sorry it took me so long to get to this. Does this page seem to describe the issue? http://symantec.atgnow.com/consumer/resultDisplay.do?gotoLink=220&docType=1000&contextId=8392%3A220.312&clusterName=ConsumerCluster&contentId=61bced0f-010d-492a-a554-2566ee4a6ee0&responseId=a7a613d67668be41%3A1b1fbf4%3A1087e71752e%3A-449b&groupId=1&answerGroup=1&score=637&page=http%3A%2F%2Fservice1.symantec.com%2Fsupport%2Fsharedtech.nsf%2Fpfdocs%2F2003052213333013&result=0&excerpt=When+you+run+LiveUpdate%2C+you+see+the+message+%26quot%3BLiveUpdate+could+not+get+enough+mem ory+to+run.&resultType=5000#

That page seems to be implying that the computer could actually be running out of virtual memory (disk space used in lieu of actual RAM). If your hard drive is chock-full, then I guess that would be plausible. Norton's stuff is known for having a pretty big "footprint" with lots of processes going. I suppose you already tried simply shutting down all non-essential stuff, so maybe try their suggestion of emptying the Temp folder? Also go to Control Panel > Internet Options and see what your Internet Exploder cache size is set for... I use a setting of 4MB so it doesn't get too out-of-hand :)


Thanks.

We run pretty lean here. The machine in question has a 37 gig HD with only 1.39 GB used. When I get some time this afternoon I'll look at the Temp Folder and IE cache (tho' Firefox is default browser on our machines) Also, I don't think there's too much start-up bloat but again, I'll check that out as well.

The WMF exploit is now being used by an Instant Messaging worm which uses the exploit to install a Kelvir worm on the victim's computer. http://www.viruslist.com/en/weblog There'll be more, so be careful what you click out there, everyone :)

Update #5, with an additonal safeguard at the top of the Actions list. If you're starting to get the idea that this is serious...? ;) Yeah, you're getting the picture now (no pun intended).

Good to hear you survived that :)

I hope people don't underestimate the potential of this threat. This exploit has now been added to rotational banner advertisements, folks.

See this video clip by Sunbelt's security researchers if you want to see how easily you can get hit: http://www.sunbelt-software.com/ihs/alex/wmf_freecat122905.wmv Don't let this be you.

http://forums.anandtech.com/i/expressions/devil.gif~ heeeeed myyyyyyy warninggggggg


this is all great grand and wonderful but you have to understand my relutance to download all these files your throwing out there. That one link for the patch wasnt a microsoft download, how do we know these are ligit. I mean id rather take my chances with the "exploit" then just go downloading .exe files based off someone i dont knows word.......now thats a good way to efff up your computer.

this is all great grand and wonderful but you have to understand my relutance to download all these files your throwing out there. That one link for the patch wasnt a microsoft download, how do we know these are ligit. I mean id rather take my chances with the "exploit" then just go downloading .exe files based off someone i dont knows word.......now thats a good way to efff up your computer.If it helps, that patch is endorsed by F-Secure, the Internet Storm Center, and Sunbelt. So that's a major antivirus provider, an independent security body, and an antispyware/firewall maker. And speaking for myself, I'm an Elite Member of the AnandTech community with over 23000 technical-support posts, PLUS I'm a former LBS mechanic (whether that makes me good or evil, I'm not sure ;)).

Sunbelt reports that they got word from McAfee that 6% of McAfee's customers have already been infected in about the last 24 hours alone. That has to be a staggering number of people. Your move, my friend... :)


You can see the more comprehensive thread that I posted at AnandTech here for my fellow computer junkies: http://forums.anandtech.com/messageview.aspx?catid=42&threadid=1770474&enterthread=y This link may be broken if the moderators grant my request and move the thread into a higher-traffic section as a sticky, so if that link stops working, look for it as a sticky in Off-Topic (http://forums.anandtech.com/categories.aspx?catid=38&flcache=5542908&entercat=y).

Readie-read: http://sunbeltblog.blogspot.com/

THread stickied for a little while. Update your damn windows folks!

Hmmmmm..........doesnt appear to work with my crappo 2000 ME :mad:
Pop-up say 'incompatible'

MechBgon, using some GREAT stuff you showed me a month or so ago I
was able to clean out a nasty, replicating .BOK trojan but me or it did
some irepairable damage to my system (.dll and .ini file trashing :eek: )
and combined with movers losing a box of my software in our move I dont
have restore disks. Ok....I tried to put a copy of XP on the machine
(purchased of course) when the register was damaged , as in IE / Windows
wouldnt even load, and the XP told me that since it couldnt find a previous
copy of windows on my machine it would not install. Now, Windows loads in a
very ravaged but workable state.

If I buy another copy and it gives me the same
message is there a work-a-round to get it to load or should I just buy a MAC :p ???

This HP rig is old and decrepit but it shows no signs of failing or problems other
than the software issues. It has a lot of stuff I need on it and I really dont
see a need to buy a new flamethrowing rig if some software will fix it.

As always, your advice is more than appreciated !!Here are my preliminary questions to get started

1) The WindowsXP that you picked up... is it retail-boxed, or is it OEM?

2) If it was retail-boxed, then is it the Upgrade version, which would have UPGRADE on the box, or is it the full version?

3) Is it Home Edition or is it Professional Edition?

4) Did your HP come with (and do you still have) a Microsoft WindowsME CD-ROM disc, or just with their System Restoration discs? It might not be super-obvious, you could post pics of the CD-ROM discs if you're not sure whether they are or not. The reason I ask is because even an Upgrade version of retail WinXP can do a clean install, it'll just ask to see your previous Windows CD-ROM disc along the way so it knows you have a qualifying previous version of Windows, justifying your Upgrade.


The pic below shows a retail-boxed, UPGRADE version of WinXP Pro, for a visual:
http://images10.newegg.com/NeweggImage/productimage/37-116-196-01.JPG

Here are my preliminary questions to get started

1) The WindowsXP that you picked up... is it retail-boxed, or is it OEM?

2) If it was retail-boxed, then is it the Upgrade version, which would have UPGRADE on the box, or is it the full version?

3) Is it Home Edition or is it Professional Edition?

4) Did your HP come with (and do you still have) a Microsoft WindowsME CD-ROM disc, or just with their System Restoration discs? It might not be super-obvious, you could post pics of the CD-ROM discs if you're not sure whether they are or not. The reason I ask is because even an Upgrade version of retail WinXP can do a clean install, it'll just ask to see your previous Windows CD-ROM disc along the way so it knows you have a qualifying previous version of Windows, justifying your Upgrade.


The pic below shows a retail-boxed, UPGRADE version of WinXP Pro, for a visual:
http://images10.newegg.com/NeweggImage/productimage/37-116-196-01.JPG


I did lose all restore hardware for the HP in my move from PA to Vt so right now I
have nothing to 'tell' future software about what is on the machine. Im going to look
around in bios and see if a serial number isnt listed somewhere.
The XP I purchased was a home UPGRADE from Staples and it would go about 2 minutes into
the 'checking system' mode and then say it couldnt continue. But, that was when nothing
would load, not even the junk ME. I did a reg_restore and got it to load again which is the way
it is now. Windows loads but I lost a lot of stuff, one of them being the email program.
I contacted Microsoft and they said its an HP issue and HP want $$$$$ just to answer the queston.
:mad:
Im wondering if, because the ME loads now, and it didnt before, if it could read it now ?

If it was me, I'd back up my data and then give it a try :) Otherwise, two options:

1) buy a WinXP Home Edition OEM CD and license and a new hard drive (has to be bought with hardware, and at that age you probably should get a new hard drive anyway). WinXP OEM is always full-version. It cannot do upgrades, however, only clean installations. Also, you are only supposed to install it on that system, and then never on any other system even if you were to uninstall it from the HP first. It's a one-shot license that is "married" to the first computer it's installed on, from a legal standpoint.

2) buy a WinXP retail full version, which costs twice as much as OEM but no need to buy hardware, no permanent "marriage" of the license to the first computer it's installed on. That's what I picked this last time, a WinXP Pro Full Version retail one, because I have Mad Upgrader Disease and am always buying new hardware. I can stop any time I feel like, however!! :o Honest!

Either of those could do a full install from scratch. Any programs that came with the HP would be lost.

MechBgon,

I pretty much have all of my spyware/virus protection products up to date (Microsoft anti spyware, Spybot S&D, Adaware, Pest Petrol, Mcafee) Well not pretty much, I do! I also run Microsoft Antispyware every day. Also I am getting Norton soon. Do I need to do the thing you were talking about in the first couple steps of the first post? I am not completely sure what it does, and if its going to mess with the protection that is already enabled on my computer.

If it was me, I'd back up my data and then give it a try :) Otherwise, two options:


As always, Thank you x3 !!

MechBgon,

I pretty much have all of my spyware/virus protection products up to date (Microsoft anti spyware, Spybot S&D, Adaware, Pest Petrol, Mcafee) Well not pretty much, I do! I also run Microsoft Antispyware every day. Also I am getting Norton soon. Do I need to do the thing you were talking about in the first couple steps of the first post? I am not completely sure what it does, and if its going to mess with the protection that is already enabled on my computer.If you have a recent model of McAfee and all your Windows updates, then you're off to a good start. Make sure that your McAfee definitions are the 4464 version as of today, because these are the first version of DATs (McAfee's term for virus definitions) that can detect the "second wave" of exploits. To do that, right-click your McAfee icon down by the clock and there'll be an "About VirusScan" item somewhere that'll mention what DATs it's got.

You wouldn't want to have two antivirus softwares actually installed at the same time, so if you're getting Norton, I assume your McAfee is running out and that's the reason?

As for the other countermeasures, it sounds like both unregistring the Windows Picture & Fax Viewer with that red command and also using the unofficial patch are considered the most solid safeguards, even as much as antivirus software.

The nature of the threat is that Windows has this weakness and you can try to keep defending it with reactive measures (antivirus software) that are always a step behind the bad guys, or you can use the unofficial patch and the Windows Picture & Fax Viewer workarounds to actually close off the weakness for the time being, while Microsoft gets a fully-tested patch built. They have to get it right the first time and not have it explode in their faces, it has to work on zillions of combinations of software and hardware, and from what I read, it's a pretty deep piece of Windows where it's not trivially easy to just fix it. I'm sure they've got teams of people sweating bullets 24/7 to fix it.

This will plague them for years, though. The vulnerabilities that most botnet worms use, for example, have been patched for months or even several years, and still people get infected because they've got a 4-year-old computer and don't even realize that Windows and the antivirus is 3.5 years out-of-date (among many other reasons, such as lack of firewall). So this is just going to be a scourge for them for years, is my prediction.

Through all the commotion, I am still uncertain about one thing.
When you your computer is infected with this, what actually happens?

Through all the commotion, I am still uncertain about one thing.
When you your computer is infected with this, what actually happens?Money begins pouring out of the CD-ROM drive. :)






WAIT, that didn't happen :D The exploit delivers a payload. The payload could be anything. They could just start opening and closing your CD-ROM drive while playing a "We Are The Champions" MIDI file if they wanted. But since the whole motive is making money, what they'll do is stuff that makes them money somehow.

They might install adware that generates advertising revenue for them.

They might install a bogus supposed "anti-spyware" program that gets in your face and keeps nagging and threatening you that OMG your system is infected!!!! and stuff, and want $40 in "registration fees" so their anti-spyware program can "fix" the non-existent "problems." :mad: Lemme post a short clip of a video I shot while researching this stuff... mmm, too large, but here's a still pic from the movie:

http://www.mechbgon.com/misc/crooks.gif

And in their FAQ, which you as a Linux user can probably go look at safely, they have stuff like "I have a warez, cracks, porn site, can I join?" and of course the answer is "Yes." Windows users, it is not recommended for you to visit that site under any circumstances.

They might install a keylogger that sends them a copy of everything typed on the system, including your credit card info from the last Bike Nashbar order, or your logon info to your bank's site so they can log on as you and send themselves your money.

They might install a botnet worm such as an SDbot variant, so they can use your computer to send Spam emails for their profit, or use your computer as part of a Distributed-Denial-of-Service attack against people who won't pay up to the extortion demand, or host a phishing website on your system to get peoples' eBay/PayPal logons so they can empty your account, or use your good eBay credentials to "sell" nonexistent stuff paid-in-advance.

love of money is the root of all evil... now who said that? ;)


By the way, all the stuff I mentioned above is just the beginning. This exploit will be gleefully latched onto by the people who've already been grabbing at just the "low-hanging fruit" for the last couple years, the Bagle, Netsky, Sober, Kelvir and MyDoom authors who already have huge botnets and would love to add to them. With this exploit so difficult to defend, they don't have to settle for the low-hanging fruit anymore. Expect to see future worms going for the kill via this exploit.

Whenever I try and scan my computer for viruses using AVG it restarts without me doing anything...this wouldn't have anything to do with it would it?