New Windows exploit found - can infect your computer just by viewing an image

[mechBgon]

To quote myself from the other thread in Software:

Also, if you have WindowsXP with Service Pack 2, enable Data Execution Prevention for all software. Right-click My Computer, choose Properties, and do this: http://www.mechbgon.com/build/DEP.gif Microsoft's initial bulletin says this will mitigate the threat.

And yeah, update antivirus signatures. If you haven't done so already, enable your antivirus software's Heuristic detections. Symantec/Norton products apparently detect this stuff heuristically with the latest definitions, if you've got Heuristics enabled on your real-time protection. To update Symantec/Norton antivirus with today's defs, run the Intelligent Updater found on this page.

 

[imported_Phil]

Originally posted by: SampSon
This is the same type of exploit that has been used for over a year now.

By you, you mean.

 

[imported_Phil]

Originally posted by: Phoenix86

Originally posted by: Phil
Hey Amused, here's the first virus that can infect you without your consent!

What about worms?

Yeah, you go and have that conversation with him

 

[Trikat]

Originally posted by: SLCentral

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

Haha. Sure sure.
What a noob! Reminds me of my friend's brother.

 

[mechBgon]

Originally posted by: Trikat

Originally posted by: SLCentral

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

Haha. Sure sure.
What a noob! Reminds me of my friend's brother.

If he has Google Desktop installed, and the file arrived via a P2P program, that's what would happen. File arrives on hard drive, Google Desktop indexes it and executes the exploit in the process. Fun.

 

[imported_Phil]

Originally posted by: mechBgon

Originally posted by: Trikat

Originally posted by: SLCentral

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

Haha. Sure sure.
What a noob! Reminds me of my friend's brother.

If he has Google Desktop installed, and the file arrived via a P2P program, that's what would happen. File arrives on hard drive, Google Desktop indexes it and executes the exploit in the process. Fun.

Now that is a worrying exploit. I hadn't even thought of that. :Q

 

[SLCentral]

Originally posted by: mechBgon

Originally posted by: Trikat

Originally posted by: SLCentral

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

Haha. Sure sure.
What a noob! Reminds me of my friend's brother.

If he has Google Desktop installed, and the file arrived via a P2P program, that's what would happen. File arrives on hard drive, Google Desktop indexes it and executes the exploit in the process. Fun.

Thing is that he isn't a noob at all when it comes to computers. He actually founded SLCentral.com. He hasn't touched P2P/Bittorrent/Warez in years, and doesn't use Google Desktop, so it must have just been regular surfing.

 

[mechBgon]

Originally posted by: Phil

Originally posted by: mechBgon

Originally posted by: Trikat

Originally posted by: SLCentral

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

Haha. Sure sure.
What a noob! Reminds me of my friend's brother.

If he has Google Desktop installed, and the file arrived via a P2P program, that's what would happen. File arrives on hard drive, Google Desktop indexes it and executes the exploit in the process. Fun.

Now that is a worrying exploit. I hadn't even thought of that. :Q

Yeah, I think the Consolidated Security Thread is gonna get a workout over the next couple weeks :Q

 

[Iron Woode]

maybe that is what attacked me 2 days ago?

I found a few straglers yesterday and killed them off.

I have no spyware or viruses on my PC now.

PC seems to be a little faster too.

 

[mechBgon]

Sunbelt's blog has a bunch more info.

1) this junk is already being distributed via rotational banner ads :Q:|

2) they say that hardware-enforced DEP will stave off the exploit*, but that software-only DEP will not (you want to enable DEP for all software, to take advantage of the processor's protection) So if you have a processor with NX-bit support then you have better protection.


McAfee's got a detection coming out tomorrow for a bogus spyware remover that they said is getting distributed by WMF: Adware-WinHound. McAfee users with VirusScan Enterprise 8.0i have been partially protected by the buffer-overflow protections since forever. Formal protection against the whole exploit was added with the 4661 DATs, so McAfee users make sure you've got the 4661 DATs or later.



*Kaspersky Lab notes that some WMF exploits can get past hardware DEP: http://www.viruslist.com/weblog

 

[Iron Woode]

Originally posted by: mechBgon
Sunbelt's blog has a bunch more info.

1) this junk is already being distributed via rotational banner ads :Q:|

2) they say that hardware-enforced DEP with all software DEP-protected will stave off the exploit*, but that software-only DEP will not. So if you have a processor with NX-bit support then you have better protection.


McAfee's got a detection coming out tomorrow for a bogus spyware remover that they said is getting distributed by WMF: Adware-WinHound. McAfee users with VirusScan Enterprise 8.0i have been partially protected by the buffer-overflow protections since forever. Formal protection against the whole exploit was added with the 4661 DATs, so McAfee users make sure you've got the 4661 DATs or later.



*Kaspersky Lab notes that some WMF exploits can get past hardware DEP: http://www.viruslist.com/weblog

That is what attacked me 2 days ago.

 

[MrBond]

Originally posted by: SampSon
This is the same type of exploit that has been used for over a year now.

This is not the JPEG exploit. This works with WMF files - a format Office uses for ClipArt.

You can have an infected WMF file, rename it to .jpg and the exploit runs the same way.

 

[Analog]

thanks for the update.

 

[mechBgon]

Now there is an IM worm using the WMF exploit: http://www.viruslist.com/en/weblog

Everyone got their antivirus up-to-date and got the heuristics turned on?

 

[mchammer]

Oh boy I hope Vista is more secure.

 

[AnonymouseUser]

Originally posted by: kyzen
Wait - where are the Linux zealots?! It's been almost 10 minutes since this was posted... something's wrong!

Wow, it's been almost two days now!

 

[Amused]

Originally posted by: Phil
Good to know.

Hey Amused, here's the first virus that can infect you without your consent!

Yep. Scary stuff, too. I've been very busy helping people clean their machines after getting this. For the fist time, all my machines have a current AV on them.

Luckily, Norton AV 2006 stops this dead. (not sure about others, but I'm sure many other AVs do).

I was even hit by this and, for the first time ever, had a virus on one of my machines. It was fairly easy to fix, though. I downloaded Norton AV and it killed it in the installation process. I had to fix the registry, though, as it disabled my windows firewall and ability to go to Windows Update.

One thing I have noted, everyone I know who has been hit got hit by visiting a shady website. I was looking for naughty pics of a specific model in a Christmas outfit (Aria Giovanni)... to put in an xmas greating for someone.

Norton AV 2006 (with the latest defs, of course) will stop it, but it will overwhelm your machine in the process. You need to hit Ctrl-Alt-Delete and end all instances of your web browser to free up your machine.

 

[firewall]

I just got a mail from my Uni about this:

A new Trojan horse program was infecting PCs on Wednesday, exploiting a hole
in Windows systems to sneak onto computers, then dropping adware or spyware
or turning them into zombies, according to several Internet security
companies.

The Trojan, dubbed Exploit-WMF (Windows Meta File), was rated a category 2
level risk, meaning it had the potential to continue to spread, said Dave
Cole, director of security response at Symantec.

The exploit "is misusing a function in the WMF library in Windows," dropping
onto the machine a downloader Trojan "that pulls down its big brother, a
more sophisticated Trojan" from a server on the Internet, he said.

"Then it might try to pull down adware, spyware or a bot program," that can
turn the computer into a zombie to be used for attacking other machines or
sending spam, or just leave a hole on the computer through which sensitive
data could be stolen, Cole said.

Kaspersky Lab rated the vulnerability
<http://dw.com.com/redir?destUrl=http%3A...-1009-6011406&ontId=1009&lop=nl.ex> "highly critical" and predicted that "new modifications of these programs
may well appear in the near future."

The WMF vulnerability affects computers running Windows XP with service pack
1 and service pack 2, as well as Windows Server 2003 with service pack 0 and
service pack 1. It can be exploited when an Internet Explorer user, or
Firefox user under certain circumstances, visits a Web site that has
malicious code on it or when a user previews .wmf format files with Windows
Explorer, Kaspersky said in a statement.

The WMF library allows the computer to handle particular image types of
Windows machines, Cole said. There is no patch for it yet from Microsoft,
although antivirus vendors had released software to help protect against it,
he said.

"Microsoft is investigating new public reports of a possible vulnerability
in Windows and will continue to investigate the reports to help provide
additional guidance for customers," a Microsoft spokesperson wrote in an
e-mail. "Upon completion of this investigation, Microsoft will take the
appropriate action to protect customers, which may include providing a fix
through the monthly release process or issuing a security advisory,
depending on customer needs."

It has CNET as the sender. Seems like they just forwarded it on to the students.

 

[firewall]

Are there new defs available for avast! antivirus to deal with this?

 

[mchammer]

Originally posted by: asadasif
Are there new defs available for avast! antivirus to deal with this?

Yea I want to know this too. I tried searching their website but I was unsuccesful.

 

[firewall]

Originally posted by: mchammer

Originally posted by: asadasif
Are there new defs available for avast! antivirus to deal with this?

Yea I want to know this too. I tried searching their website but I was unsuccesful.

Same here. Couldn't find it anywhere on their homepage.

 

[spidey07]

thanks for the heads up, looks pretty serious.

 

[MyThirdEye]

Ugh, I just reformatted, and forgot my username/password for my 2 year subscription to Norton '06!!

 

[JJWalker]

Originally posted by: amjohns5
Ugh, I just reformatted, and forgot my username/password for my 2 year subscription to Norton '06!!

I would look at that as a positive.

 

[cbrsurfr]

Heard about this at work. Tried it out on one of my builds and DEP stopped it everytime. That combined with SAV and Cisco security agent means I'm not worried.