I know this isn't necessarily the right forum for this but it is the most read and I wanted to make sure the pests were forewarned. I have checked this out and it isn't a false alarm. It is a real Windows vulnerability that can be triggered via a wmf file.

http://www.kb.cert.org/vuls/id/181038

unregistering the Windows Picture and FAX viewer is a partial band-aid filx but may not be good enough. Currently there doesn't appear to be any anti-virus program that knows how to deal with it.

Umm, what?

thanks for the heads-up, edc... only it's too late for me.
you go.. go on without me...

That's why I have a seperate Linux partition for all my porn viewing needs

If you surf the web in odd areas, this post might be important. Take the time to read through it. It could save you a few hours and headaches.


Spare partitions for web viewing and operating systems are the shit, but a lot of pests just run IE and have all their files on the same partition as windows, and leave it at that.

This exploit is an unanswered problem by microsoft as of this morning still.. Five days later. That's pretty alarming.
I'd like the pests to just be careful in their browsing behavior and surfing habits, as anti virus programs are null and void to these problems currently. Your A/V software will not prevent the installation of viruses from occuring if you run into this particular exploit. Only careful surfing habits will keep you clean until MS fixes this.

What this is :

It is a security flaw in windows that allows code(programs) to be installed and executed without your say so. In almost every case, it's used to install viruses. Not just one, but a ton of them.

A .wmf file, usually it's a picture, will be brought up in a seperate browser window upon clicking an infected link. Now mind you, these links will be disguised as anything. A link to a text file.. A linking piece of html, you name it.
When this .wmf file is opened up, you'll most likely get to see 5-20 windows open and close really fast.
These are the viruses being installed by way of that wmf security flaw.

If you find yourself being infected.. As soon as you notice something wrong... Pull the internet connection on your computer. Remove the network cable. Anything. Cease your being connected to the internet immediately.
If connected to the internet while infected, your pc will be used as a zombie to send spam emails, more viruses, and personal data. This is often characterized by your bandwidth going crazy, and your cpu load sitting at around 90% and you not being able to do dick-all about it. Your system will be paralyzed. Forget about Cntl+Alt+Del, too. Task manager will not work to manually shut down the virus programs running, because.... the virii this exploit loads shuts down your access to it.
To get your task manager back, you will have to alter your computers registry and group policies to get access back. (That gets extremely greasy if you're uninitiated)

The viruses installed are clever enough. I've witnessed several variants of them so far this week, among them a series of seven conjoining viruses.. Disguised as self perpetuating spyware installers/ removers. Like a vicious virus circle.

Your desktop will be hijacked, saying "you've got spyware. Click here to remove."
Upon clicking remove, more viruses are installed. You'll then be prompted to a place you pay 40 dollars to register the "spyware remover".
If you pay that.. More viruses are installed... and it's made to look like the virus is removed, but more remain. windows no longer detects the first one you just paid to remove. (But wait, it gets better.. that virus you just paid to remove..is still there. Yeah.)


And again, I'll just point out that "spyware" would be an extremely loose term for what this exploit can install on your machine.
It's not just website tracking software being installed...they're using it to fully bust open your machine.
The hardcore type of shit where people can literally open up a second instance of windows on your computer to do whatever they like, and run entirely unnoticed, under your nose and you can't do a damn thing about it.


I just want the pests to know the potential severity of this problem.
Coming from experience, this is a very, very good exploit, and extremely hard to circumvent.
If you're infected. You will be reformatting your system and reinstalling your operating system. That could be messy if you keep all your files and shit on one big partition.
If you get hammered by it. You can try to find me for help.
If not. Enjoy that reformat and be sure to tell your pc Good luck, bro.


(deadbent hint of the day... make 1, 10gb partition for windows, and partition the rest for your program files and data storage. So if you're ever infected with something new like this... fixing it only takes 30 minutes ;p)

thanks for the heads-up, edc... only it's too late for me.
you go.. go on without me...


:clap: :clap: :clap: :clap:

Wow, didn't even know the specifics about this.
I'm the PC support guy at my company and my wife (who also works there) got this on her office PC last week.
I was actually able to clean the PC as far as I could tell. The only thing that stuck in my craw was that I couldn't change the desktop backgroud at all, everything was greyed out. Since behavior like that makes me leery, I re-imaged the drive.

I should have re-imaged in the first place, as that process along with restoring settings and files is only a 2 or so hour process for me. The cleaning of the PC took an entire day, but I did that first because I like to get in there and get a good look at what I'm dealing with (and I had the spare time).

I just checked with her and she echoed the initial infection behavior mentioned here.
Thanks for the info!

Hoo Hoo! We invented "spreading the virus"!! Tell 'em, Ant!

Wow, didn't even know the specifics about this
!

This one's just a cocksucker. For folks not familiar, It's not a virus per se, just an exploit that allows them to be installed quickly.
I mean... FAST. So fast I didn't even believe it. I've seen a lot of shit get into a network/pc in a short time, but probably not like this yet heh.
It's like.. in an instant. Reaction time means shit.
Personally. I've never seen such a damn good exploit for xp. Heh.

Be alert.

Ahh, yes thanks for this post.. its sheds some lights on this problem, considering I fixed 5 machines just this week that became infected....My own personal machine was hit too, which totally blew my mind.. I cant really complain though...spyware rocks and makes me alot of money!

But you can clean this out relatively easily, my computer is fine now...as far as the inability to change the background after this infection, there is a registry edit you have to do to enable wallpaper changing..

I sort of got this yesterday. I got it from (DO NOT GO TO THIS WEBSITE!!) e-m-p----3----w-o-r-l-d.com.

It installed some porn on my desktop and something that resembled a pepper trojan. I used System Restore and it went away. Yesterday night I upped all my security settings on Internet Explorer to their maximum settings except for "Active Scripting," "Allow META REFRESH," and it no longer downloads the stuff.

I suggest you all download Ubuntu Linux and give yourself a Linux porn surfing partition.

It may be coincidence or it may be bad luck but I think I got this shit on my wife's laptop at home this morning. Over the past week or so, the comp had been crashing unexpectedly for no reason. Then last night it completely locked up and now it won't boot up past the windows XP screen.

I've tried to open windows in safe mode, and have even tried to boot from the XP disc directly. It runs through the registry and just stops halfway through and locks up again.

How do I completely reformat the hard drive and start from scratch? Can someone help me?

It may be coincidence or it may be bad luck but I think I got this shit on my wife's laptop at home this morning. Over the past week or so, the comp had been crashing unexpectedly for no reason. Then last night it completely locked up and now it won't boot up past the windows XP screen.

I've tried to open windows in safe mode, and have even tried to boot from the XP disc directly. It runs through the registry and just stops halfway through and locks up again.

How do I completely reformat the hard drive and start from scratch? Can someone help me?

Put your reinstallation CD in the drive, reboot...you should be prompted to boot from the hard drive...once it does that just follow the installation instructions.

Thanks blazin. I'll give it a shot and see what happens.

We did a proof of concept in our test lab yesterday, and this is actually a pretty cool little exploit.

We were able to get a remote shell with a single wmf file embedded in a web page. Totally silent to the user. ALso, current Norton virus defs do NOT catch it. Very nice.

THere is a workaround to mitigate the risk of the exploit. On micrsoft's security bulletin, there is a DLL you can unregister that will stop the exploit. Not a fix, but a temporary solution.

We did a proof of concept in our test lab yesterday, and this is actually a pretty cool little exploit.

We were able to get a remote shell with a single wmf file embedded in a web page. Totally silent to the user. ALso, current Norton virus defs do NOT catch it. Very nice.

THere is a workaround to mitigate the risk of the exploit. On micrsoft's security bulletin, there is a DLL you can unregister that will stop the exploit. Not a fix, but a temporary solution.

I looked around on the MS site, but didn't see this sight - do you have a link? I must have missed it.

Not sure how well you guys know the Something Awful Forums, but it's one of the largest forums on the internet. Some dolt on from there put an infected file in his sig picture - you can imagine the results. Hundreds of people got infected. That forum have 70k + members...can you imagine the implications of something like this?

http://www.microsoft.com/technet/security/advisory/912840.mspx

THis link is from MS. It describes the details, and a viable workaround until an actual fix is available. This is interesting, because the patch (05-053) was updated last month, but this exploit is affecting the same element. Nice to see the hackers are staying one step ahead of MS for the same problem.

Check out Steve Gibson's website (http://www.grc.com/sn/notes-020.htm) (grc.com). Steve is a security guru and now has 2 methods of disabling this security hole in windows.

Check out Steve Gibson's website (http://www.grc.com/sn/notes-020.htm) (grc.com). Steve is a security guru and now has 2 methods of disabling this security hole in windows.

I wonder if this was a marketing scheme by some brillant mind as an AV company? I was using AVG Free, but this scared me and made me think in general AV protection is something I should spend money on...so I bought Norton 2006.

If I turn off all images in my browser...will I be ok? Also, I read the above post from someone detailing what happened when they got it - would it be that obvious if I had it?

how do I make a partion on my hard drive for a copy of Ubuntu Linux? thx

Protect your computer NOW, Immediate temp fix available. (link at bottom of post)

Ilfak Guilfanov, well known in "reverse engineering" circles for his wildly popular IDA Disassembler, needed a temporary patch for his own system due to the seriousness of the WMF vulnerability (see RED box below) . . . so he wrote one!


Download Ilfak's Temporary WMF Patch

291 kb — for Windows 2000, XP, 64-bit XP and 2003 server
http://www.grc.com/sn/notes-020.htm


This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.

Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.

http://www.grc.com/sn/notes-020.htm

I wonder if this was a marketing scheme by some brillant mind as an AV company? I was using AVG Free, but this scared me and made me think in general AV protection is something I should spend money on...so I bought Norton 2006.

If I turn off all images in my browser...will I be ok? Also, I read the above post from someone detailing what happened when they got it - would it be that obvious if I had it?

Norton.... ugh... That program has become far too bloated with "extra" features. Not too mention that if something does get through, one of the first thing many do is to look for Norton and McAfee and if they are found, they shut it down. There are 3 free AV programs that are pretty good.. AVG, AVAST, and ANTIVIR. I like NOD32.. it is lesser known, and a relative lightweight on my CPU.

Sophos is a good one too. We used to use it a couple of jobs ago. Real nice interface to admin workstations.

so i'm guessing this is what spyaxe is. more of an annoyance that anything else. who ever comes up with this shit should have their daughter fucked by a big knitter like in traffic.

News (http://abcnews.go.com/Technology/ZDM/story?id=1466666)

AVG is not that helpful for this one.

A PC here at my job got hit with this. Brought the pc to it's knees. what was interesting about it was that every time he would boot his pc it would bring down my unix print spooler! WTF is that about?

MS has created a patch to fix this exploit:

http://windowsupdate.microsoft.com/