NEW virus - Alert from F-Secure

[Offbreed]

In this case, a default installation of Win-98 is not
even vulnerability to the problem related to Windows WMF files.

Saying a *default* Win98SE installation is not vulnerable might be
exactly accurate as stated, but could easily be misunderstood by people
who don't spot the limitation you placed on your statement: "Default".

By now, very few people have a default installation in their box, with
nothing else, so there *might* be an indirect vulnerability as a result
of added programs.

I am watching to see if there are further developments:

http://isc.sans.org/diary.php?storyid=975

Google Desktop Search (GDS) can trigger the buffer overflow
vulnerability if a malicious WMF file is placed in a location that is
indexed. Other content indexing software may also be vulnerable.

 

[optikl]

It's absurd to tell people not to surf web-sites they don't trust.
How does someone know in advance if a web page has an exploit, or a
web server has been hacked, or even a DNS server has been poisoned?

It's not absurd. It's good advice. It's just that, as you point out, you
can't know in advance of every site to which that advice would apply.
Certainly, in lots of cases, one can easily make that assessment (e.g.,
geocities, porn sites, etc.).

If you want to extend this issue and morph it into a safe-hex issue,
then the only coherent answer is to not do any web surfing at all!

Now, that would be absurd.

 

[Clay]

{snippage}

Okay, we see things very differently. No problem.

You won't hear any such "expert" commentary about W-98 any more.

Yes, *I* will. It's already being discussed privately elswhere.

Besides, who the heck is running a default install of original Win 98?
Seems irrelevant since most users install stuff willy-nilly and don't
even remember what they got on their system anyway.

Commercial web-rags or computer magazines have long since stopped
printing articles or editorials about W-98. Their staff "experts"
were probably in high school when 98 came out. You simply won't find
any non-partisan professional commentary about the relative immunity
of W98 to modern exploits in this day and age,

I think I will, at least privately. I may be wrong of course, time
will tell.

 

[Virus Guy]

I'll wait for the expert commentary rather than take a stand.

And then Clay followed up with:

Yes, *I* will. It's already being discussed privately elswhere.

Which one is it Clay?

You are waiting for expert commentary, or you are already reading
expert commentary (albeit private commentary) ?

I think I will, at least privately.

By professional, I mean that someone that is paid to write what they
write, which usually happens in a publication you must buy in order to
read, or a web-site that is more than just a blog.

I may be wrong of course, time will tell.

Will you tell us what you are learning in these private discussions?

 

[BoB]

Heh, OTOH at least one major vendor says 98 systems are vulnerable.

<http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html>

Since 98 doesn't normally have the required dll, I assume it only
applies if you have installed some fax/word type program that has
installed the dll.

BoB

 

[Virus Guy]

Saying a *default* Win98SE installation is not vulnerable might
be exactly accurate as stated, but could easily be misunderstood
by people who don't spot the limitation you placed on your
statement: "Default".

By now, very few people have a default installation in their box,
with nothing else, so there *might* be an indirect vulnerability
as a result of added programs.

I have far from a default installation of Win-98se.

In this case (WMF exploit) I do not have the faulty DLL in question
(shimgvw.dll). Either shimgvw.dll is not compatible with 98, or MS
saw fit to never have included shimgvw.dll in any update to 98 that it
delivered through patches, fixes, enhancements, etc (including
office-update).

shimgvw.dll seems to date back to 2000 or 2001 (and was or became part
of ME and all OS's since). That DLL (if compatible with 98) could
have easily been made available to 98 users as an optional download.
Good think that MS never did - because (a) it's obviously rarely ever
needed by anyone, and (b) as we now know, it creates an exploitable
fault in the OS.

In MS's rush to make all older OS's obsolete by packing new OS's with
"features", they create poor code that more often than not becomes the
focus of tommorrow's advisory.

What's funny is that MS seems to have created a relatively recent
version of shimgvw.dll as can be found here:

http://www.dlldump.com/cgi-bin/testwrap/downloadcounts.cgi?rt=count&path=dllfiles/S/shimgvw.dll

That appears to be an XP-SP2 version.

And they still didn't get it right!

Or perhaps older versions are ok, and it's this new version that has
the exploit!

Remember Micro$haft's motto:

"If it works, it's not complicated enough."

That mindset guides them in everything they do.

 

[James Egan]

A default, original installation of Win-98 is NOT VULNERABLE to
intrusion or access through the internet by simply connecting it to
the internet.

What about the opas worm which exploits an unpatched win98 password
vulnerability and can brute force a share level password in a few
milliseconds?

Quite a few people have been around here looking for advice on
removing it having merely connected their computer to the Internet.

Maybe file and printer sharing doesn't come under your heading of
default installation of win98? However, quite a lot of users will
subsequently install it and in its (then) default state it is bound to
all protocols and open for business on the Internet unless the
bindings are adjusted or a firewall is installed.


Jim.

 

[Art]

A default, original installation of Win-98 is NOT VULNERABLE to
intrusion or access through the internet by simply connecting it to
the internet.

Win 98 SE might have file and printer sharing turned off by default,
and there may be no open ports by default ... if that's what you mean.
But so what? It's not safe to actually _do_ much of anything on the
internet until you activate the Windows Update (WU) Trojan to at least
get the latest version of IE and its patches. The WU Trojan will turn
file and printer sharing on and your're now sitting there vulnerable
with open ports. So if you aren't using a external router/firewall you
had better have the install program of a sw firewall on CD and install
it before going online.

Win 98 original was worse yet. It holds a RPC port open unless you
rename RPCSS.DLL to RPCSS.OLD in plain DOS.

Besides this, people were taking hits all over the place back in the
days of Win 98. I remember the KAK worm and Bubbleboy which used
a old OE vulnerability where simply reading a email got you infected
.... just for one example. Those weren't exactly "the good old safe
days" by any means.

Art

http://home.epix.net/~artnpeg

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Symantec itself (in the above link) DOES NOT IDENTIFY any affected
OS's by name.

The above linked page says

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows Server 2003, Windows XP

Again, the image rendering engine shimgvw.dll is fingered as the
problem. That DLL is not present in the default installation of
Win-98, nor is it present in "mature" installations of Win-98.

There is much indication now that shimgvw.dll is /not/ at the root
of the problem, but rather gdi32.dll. Here's one link.
<http://www.viruslist.com/en/weblog?weblogid=176892530>

There's a third-party patch linked from
<http://www.f-secure.com/weblog/archives/archive-122005.html#00000756>.

 

[Art]

There is much indication now that shimgvw.dll is /not/ at the root
of the problem, but rather gdi32.dll. Here's one link.
<http://www.viruslist.com/en/weblog?weblogid=176892530>

There's a third-party patch linked from
<http://www.f-secure.com/weblog/archives/archive-122005.html#00000756>.

But only for XP users.

Art

http://home.epix.net/~artnpeg

 

[Clay]

You are waiting for expert commentary, or you are already reading
expert commentary (albeit private commentary) ?

It's both I guess as I'm reading discussions that are taking place
privately and all relevant facts have yet to be revealed (at least to
me). It may take some time for facts to be assimilated.

By professional, I mean that someone that is paid to write what they
write, which usually happens in a publication you must buy in order to
read, or a web-site that is more than just a blog.

Hmmm... by professional, I mean that someone that is considered an
expert on the issue.

Will you tell us what you are learning in these private discussions?

I will be happy to if it pertains to this discussion and I don't break
any "non-disclosure" agreements. Please don't count on it though. BTW,
I'm really not trying to be a dick, just keeping an open mind.

 

[optikl]

What's funny is that MS seems to have created a relatively recent
version of shimgvw.dll as can be found here:

http://www.dlldump.com/cgi-bin/testwrap/downloadcounts.cgi?rt=count&path=dllfiles/S/shimgvw.dll

That appears to be an XP-SP2 version.

And they still didn't get it right!

Or perhaps older versions are ok, and it's this new version that has
the exploit!

Remember Micro$haft's motto:

"If it works, it's not complicated enough."

That mindset guides them in everything they do.

I don't know what you do for a living. I manage a product management
group that provides solutions for both contract manufacturing and
branded products. Many of our products require software engineering, so
I'm experienced in dealing with software engineers. Often, you don't get
it right until after several iterations which could take many months,
depending on the complexity of what needs to be done. And sometimes the
defects don't show up until you test to failure. I would guess that
Microsoft software engineers didn't have this exploit in mind when going
through reliability and security testing. From what I am learning,
software testing is still evolving as a science:
http://www.ece.cmu.edu/~koopman/des_s99/sw_testing/

 

[Hoosier Daddy]

No he didn't! )

[snipped (but none was mine)]

W98SE (ver "A") does not have shimgvw.dll.
It's a "hand-me-down" box (I don't know its full history) but
the orig. owner was an AOLer, unlikely to be removing .DLLs.

So one could safely assume that without the vulnerable code there is no vulnerability.

An interesting side note to this discussion (as Virus Guy has turned it) is that much
of what people consider to be the OS proper is actually a tool, utility, or application
suite bundled with the OS. The so-called IE integration seems more like code which
happens to be shared between the GUI file manager and the browser - neither of
which is, IMO, really a part of the OS.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

But only for XP users.

And now for Win2K users.

 

[Art]

And now for Win2K users.

Thanks, but when I go to install it on my Win 2K Pro it refuses,
claiming my system is not compatible. Guess I'd better email the
author.

Art

http://home.epix.net/~artnpeg

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Win 98 original was worse yet. It holds a RPC port open unless
you rename RPCSS.DLL to RPCSS.OLD in plain DOS.

I don't have this file on my computer. ???

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ7gVVaRseRzHUwOaEQIi8ACgpj9hE5sAx0ZwNJOpqJi/9Z3OHMkAoPjU
B+9E3lbh5qFFdwmWnOVEybsG
=xMrw
-----END PGP SIGNATURE-----

--
Laura Fredericks
4Q's "wicked evil bitch of satire, parody, humor and trollism"

PGP key ID - DH/DSS 2048/1024: 0xC753039A

alt.comp.virus photo gallery:
http://www.queenofcyberspace.com/acvgallery/

usenet flamewars:
http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Art]

I don't have this file on my computer. ???

Would you believe RPCSS.EXE ???

Art

http://home.epix.net/~artnpeg

 

[louise]

Thanks, Jeff. I will send this to my friend in Virginia. He got it on the
evening of the 27th .....and it has to be this one. He is a programmer and
has been up till the wee hours trying to get rid of this.

Cheers....Heather

Would it be good enough to just change the name of
shimgvw.dll and gdi32.dll until there is a fix?

I can certainly live without MS picture and fax viewer -
what does gdi32.dll work with?

Louise

 

[Jeffrey A. Setaro]

Would it be good enough to just change the name of
shimgvw.dll and gdi32.dll until there is a fix?

I can certainly live without MS picture and fax viewer -
what does gdi32.dll work with?

GDI32.DLL contains functions for the Windows GDI (Graphical Device
Interface) which assists windows in creating simple 2-dimensional
objects... Removing it would probably be a bad thing.
Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Luke]

[snip]

Would it be good enough to just change the name of
shimgvw.dll and gdi32.dll until there is a fix?

[snip]

No. But if you have Win 2000 or XP you should apply the temporary fix
available here:

http://www.hexblog.com/2005/12/wmf_vuln.html

--
Luke
______________________________________________________________________
"Warrants? We ain't got no warrants. We don't need no warrants. I
don't have to show you any stinkin' warrants."
-- George W. Bush, December 18, 2005