Warning - Windows 0-day exploit in the wild

Being a good netizen, I thought I would bring this to the attention of FFUK members who are running Windows XP:

Secunia Advisory - Note: Rated Extremely Critical

SANS Handler Diary

A HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

Be wary!

 

Okay. What was that in English?

 

Windows XP has a problem (one of many), and as of yet there are no remedies.

If you use Internet Explorer you are advised to set your internet security settings to high, and be wary of opening files with the extension ".wmf" from sites you are not familiar with.

Oh, and don't worry!!

 

Uma lima do HTML funciona um outro WMF (lima do meta de Windows) que execute um dropper de Trojan em uma máquina inteiramente remendada de Windows XP SP2. O dropper download então Winhound, um programa da falsificação anti-spyware/virus que peça que o usuário compra uma versão registada do software a fim remover as ameaças relatadas.

 

Very good!!

 

Google is really my girlfriend you know

 

Thanks, Chief! This must be something similar to the 'Spyaxe' capers!?

 

Well this Winhound certainly appears to hijack your system like the SpyAxe program. It was only added to SpywareWarrior on the 29/11/05, so is a relative newby to the scene.

I suppose the alarming thing about this Windows vulnerability is that exploit code is publicly available, so I wouldn't be surprised to see things starting to circulate the web in the coming days-or-so.

Also, another warning to those who use MSN Messenger, if you receive an IM or e-mail inviting you to download the beta version of MSN 8, don't - its a virus that sends download links to a computer user's MSN Messenger buddies, and it also connects your machine to a botnet server that can be used as a computer that is controlled remotely to attack other machines or send spam.

A lovely day to be on the net!

 

Trick is not to use a computer!!11one!11z0r!111

 

This is why I want a Mac...

 

I knew there was a reason I was debating going to Linux

 

That is actually the only solution!!

Be prepared for an experience!! Its like being in a foreign country with no understanding of the language, the culture or where you are. Most distros will allow you to put Linux on a partition along side Windows - I recommend this since you can at least go back to Windows for situations your not familiar with.

This story is now on the BBC Website: Here

 

FYI,

Microsoft have now released a patch for the WMF-vulnerability. Those with Automatic Updates enabled will receive the update today. For those with Automatic Updates disabled you can go to here to download the relevant updtae for your system - THIS IS HIGHLY RECOMMENDED.

For a look at how easy it is to be infected with this exploit see: here.

Incidently, for those running Windows 98 or ME, there is currently no patch available for this issue since there is no immediate problem or known exploits available for these OSes, however the flaw is still present. This is not to say there won't problems be in the future for 98 and ME users.

 

I never have problems with virii, etc as I'm not connected to the internet.

 

I got the automatic update the other day.

 

I got a Billy Connolly CD the other day.

 

Does it work on Windows 98?

 

The exploit works on ALL windows.

 

Even with double glazing?!

 

YEAH

 

The flaw exists in the SHIMGVW.DLL file which exists in Windows 98. However at this moment in time it is not considered a problem for Windows 98 or ME users (reference: the Secunia advisory states this vulnerability affects Windows 2000/XP/2003 Server Edition). In addition, Microsoft have not issued a patch/fix for 98 or ME because it is not considered a problem to these OSes.

Incidently, the vulneravility can be exploited locally if an infected file is executed from Windows Explorer, so updating Windows is essential.

The BBC have even covered the early release of the fix for this vulnerability: Here.

 

I meant TK's Billy Connolly CD

 

Lol!

Well probably not then!