Spy Sheriff - so how do people get infected w/ this thing?

[Leythos]

NO! prove to me that you own the name "Leythos" and I will stop using it.
Stop Stalking me and I will stop using it. Hehe forging your name you must
be crazy, That's the funniest thing I've heard all year. Got lost stalker.

--


(e-mail address removed)
remove 999 in order to email me

 

[Leythos]

Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
From: Leythos <[email protected]>
Newsgroups: comp.os.ms-windows.misc, microsoft.public.windowsxp.general, alt.comp.anti-virus, comp.security.misc

NO! prove to me that you own the name "Leythos" and I will stop using it.
Stop Stalking me and I will stop using it. Hehe forging your name you must
be crazy, That's the funniest thing I've heard all year. Got lost stalker.

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Please note that PCBUTTS1 is the poster of the above message using my
NickName "Leythos". He posts from the above host, which you can validate
in the Usenet headers, since Microsoft deletes his posts from their
servers due to his lack of ethics, his theft of others code, and his
violations of their Usenet standards.

As a "formal" request, for documentation reason, I request that you stop
using my name to forge posts. You have been warned now.

 

[Bill]

As a "formal" request, for documentation reason, I request that you stop
using my name to forge posts. You have been warned now.

Of course, you could just try posting with your real name.

 

[Leythos]

Of course, you could just try posting with your real name.

This is the name I've posted with for over 10 years, longer than he's
been online.

 

[Bill]

This is the name I've posted with for over 10 years, longer than he's
been online.

Perhaps, but if I want to post using the name "Chair" and someone else
uses it at some point, there's not a lot one can do about it. Move on.

 

[Leythos]

Perhaps, but if I want to post using the name "Chair" and someone else
uses it at some point, there's not a lot one can do about it. Move on.

Yes, I know, but, as with most people, some have Ethics and others
don't.

 

[tim]

http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

this *might* have been, how it happened.

Yup, I cleaned up a couple of machines in the last few days with that.

tim

 

[Cool_X]

Can anyone please tell me a suitable workaround for Windows 98 SE? The M$ page only lists
un-registering Shimgvw.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows
Server 2003 and Windows Server 2003 Service Pack 1.

Please let me know about this.

Cool_X

 

[Todd H.]

Can anyone please tell me a suitable workaround for Windows 98 SE?
The M$ page only lists un-registering Shimgvw.dll on Windows XP
Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
Windows Server 2003 Service Pack 1.

Please let me know about this.

Cool_X

Quoted from http://isc.sans.org/diary.php?storyid=994

"Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and there
will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade."


Best Regards,

 

[Larry Sabo]

Quoted from http://isc.sans.org/diary.php?storyid=994

"Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and there
will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade."


Best Regards,

Install Sunbelt Kerio Personal Firewall and modify the filter rules
per the article "Snort rules for WMF exploit updated" in
http://sunbeltblog.blogspot.com/. That seems to work very well.

Larry

 

[Frank Slootweg]

I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

Are you sure about that preview pane story? The Microsoft Security
Advisory claims that one at least has to *click* on something or *open*
an *attachment*:

[Start quote:]

Mitigating Factors:

* In an E-mail based attack involving the current exploit, customers
would have to be persuaded to click on a link within a malicious
e-mail or open an attachment that exploited the vulnerability. At this
point, no attachment has been identified in which a user can be
attacked simply by reading mail.

[End quote.]

[This is from the January 3 version of the Advisory. The earlier wording
was somewhat less specific.]

I also thought that a (OE) (pre-)view was enough, but I checked some
(innocent) JPEGs in an HTML message and they are displayed, *despite*
disabling (un-registering) the Windows Picture and Fax viewer
(Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
component than the Windows Picture and Fax viewer. Of course I didn't
check any malicious 'pictures', so I could be wrong.

Anyway, the good news is that if everything goes according to plan, we
will have a (MS) patch (security update) in a week (January 10).

 

[Kerry Brown]

Positive. I have seen it in action. Security was slightly relaxed as the
user used the stationary features a lot. Until this exploit there had never
been a problem with their setup. They had disabled Block images and other
external content in HTML email. Not the most sensible thing to do but many
users who use stationary do this. There are many newsgroups devoted to
stationary. Microsoft even has one on their private news server. I was wrong
about the hardware DEP though. It looks like this works on some systems but
not others.

Kerry

I have seen it on three customer's computers in the last three days.
They were all up to date with Windows updates, running an antivirus,
one was running MS AntiSpyware. As near as I can tell they all came
in via the .wmf exploit. One was in a spam email. They had the
preview pane open and viewing the email installed the malware. Two
were while surfing the net. Both times they clicked on a link in a
google search and they were immediately infected. See the following
link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

Are you sure about that preview pane story? The Microsoft Security
Advisory claims that one at least has to *click* on something or
*open* an *attachment*:

[Start quote:]

Mitigating Factors:

* In an E-mail based attack involving the current exploit, customers
would have to be persuaded to click on a link within a malicious
e-mail or open an attachment that exploited the vulnerability. At
this point, no attachment has been identified in which a user can be
attacked simply by reading mail.

[End quote.]

[This is from the January 3 version of the Advisory. The earlier
wording was somewhat less specific.]

I also thought that a (OE) (pre-)view was enough, but I checked some
(innocent) JPEGs in an HTML message and they are displayed, *despite*
disabling (un-registering) the Windows Picture and Fax viewer
(Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
component than the Windows Picture and Fax viewer. Of course I didn't
check any malicious 'pictures', so I could be wrong.

Anyway, the good news is that if everything goes according to plan,
we will have a (MS) patch (security update) in a week (January 10).

The only effective workaround right now is to enable hardware DEP
for all programs (software DEP won't stop it) or disable the Windows
picture and fax viewer. Both workarounds can cause problems.
Hardware DEP may break some drivers and a lot of games won't run.
Unregistering shimgvw.dll seems to be the best workaround but it may
cause some minor problems with html email and some web sites.

Kerry

 

[Frank Slootweg]

Positive. I have seen it in action. Security was slightly relaxed as
the user used the stationary features a lot. Until this exploit there
had never been a problem with their setup. They had disabled Block
images and other external content in HTML email.

Ah, that explains it! AFAIK, Block images is enabled by default in
(SP2) OE, at least it was for me. So for me it would mean a click.

Not the most sensible
thing to do but many users who use stationary do this. There are many
newsgroups devoted to stationary. Microsoft even has one on their
private news server.

Yeah, it's the old point: Is 'rich' ever going to be safe? Probably
not.

I was wrong about the hardware DEP though. It
looks like this works on some systems but not others.

Kerry

Frank Slootweg wrote:

[bottom-quote deleted]

 

[Cool_X]

Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
(and should, because this is a critical security issue), but they will use any tactic possible
to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
update service and all critical updates like this!!!

If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
enough to run 2000. It's basically a death sentence towards ever going on the Internet.

Besides which, can't any of the security people here tell me the Windows files that are
specifically affected by this virus, so I can block them (would need to know how to do that as
well)???

Contrary to what Linus Torvalds said, Micro$oft IS EVIL!!!

Cool_X

 

[Cool_X]

Larry,
I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
ZoneAlarm slows down my boot time by a large amount.

Does anyone have any other suggestions, like what Windows files to block or unregister?

I think that if I don't have the DLL that the sites are asking me to unregister, then I'm
either not affected or the exploit targets different files. Could anyone clarify this one way
or another???

Cool_X

 

[Notan]

Larry,
I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
ZoneAlarm slows down my boot time by a large amount.

<snip>

It's currently being offered for $14.95. (I paid $45.00. Damn! <g>)

Have a look at http://www.sunbelt-software.com/kerio.cfm.

Notan

 

[Todd H.]

I think that if I don't have the DLL that the sites are asking me to
unregister, then I'm either not affected or the exploit targets
different files. Could anyone clarify this one way or another???

You probably do have that dll.

Be sure to put the missing backslashes in the unregister command:

regsvr32 -u %windir%\system32\shimgvw.dll

 

[Leythos]

Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
(and should, because this is a critical security issue), but they will use any tactic possible
to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
update service and all critical updates like this!!!

If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
enough to run 2000. It's basically a death sentence towards ever going on the Internet.

You have several options:

1) Having known that Windows 98 was no longer supported for many moons,
you've had plenty of time to get a replacement or to determine to live
with an Unsupported OS.

2) Develop a firewall/AV solution that works for your unsupported
platform that limits your exposure.

3) Upgrade to Windows 2000 or XP on your existing hardware and live with
the performance issues.

4) Get a new computer and newer OS - the OS could be Windows based or
Linux based if you didn't want a fee-based OS. Fedora Core 4 is stable
and works well on older as well as newer hardware.

 

[Leythos]

Yes, I know, but, as with most people, some have Ethics and others
don't.

From: Leythos <[email protected]>
Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
Date: Mon, 02 Jan 2006 20:50:04 GMT
Message-ID: <[email protected]>
References: <[email protected]>
<[email protected]> <[email protected]>
<[email protected]> <[email protected]>
<u$2#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Lines: 19
Newsgroups:
comp.os.ms-windows.misc,microsoft.public.windowsxp.general,alt.comp.anti
-virus,comp.security.misc
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
User-Agent: MicroPlanet-Gravity/2.70.2067
X-Face:
A;M@wltH;y<_[X{sb87LCnwW0{GYN;Z<\@Q/T}aTqdjfj^J%XV3Om]F7_"(d:ajl~|aEF
li/1j='OK"&W$2Z!)tCRWs}v2R*kIU,f~![aAN:!d(U"!VP7D74t`]z^ZlgC@b
X-No-archive: yes
NNTP-Posting-Host: 24.123.138.210
X-Complaints-To: (e-mail address removed)
X-Trace: tornado.ohiordc.rr.com 1136235004 24.123.138.210 (Mon, 02 Jan
2006 15:50:04 EST)
NNTP-Posting-Date: Mon, 02 Jan 2006 15:50:04 EST
Organization: Road Runner High Speed Online http://www.rr.com
Path:
TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.glorb.c
om!bigfeed.bellsouth.net!bigfeed2.bellsouth.net!news.bellsouth.net!hwmnp
eer01.lga!hwmedia!news-server.columbus.rr.com!tornado.ohiordc.rr.com.POS
TED!53ab2750!not-for-mail
Xref: TK2MSFTNGP08.phx.gbl microsoft.public.windowsxp.general:1446975

Please note the this poster is an imposter, he/she is using the Nick
that I have been using for 10 years now, you can verify the header
simply by looking at his host provider.

NNTP-Posting-Host: 24.123.138.210

I suggest and encourage all posters immediately kill file this imposter
as soon as possible
to ensure you only see my posts and not the imposters.

 

[John Hyde]

Quoted from http://isc.sans.org/diary.php?storyid=994

"Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and there
will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade."


Best Regards,

Turns out that this may not be true. Apparently the older versions of
windows don't have a default *.WMF handler. Technically they are
vulnerable, but for all practical purposes not. CAUTION: this will
depend on your configuration. Here is one article that I found:

http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

JH