WDGC
Content Type
Profiles
Forums
Events
Posts posted by WDGC
-
-
-
About a week ago I downloaded PsTools 2.24 from the Sysinternals website:
http://www.sysinternals.com/index.html
The latest avast! A-V update [0602-3, 13/01/06] reports Win32:Doomber-C [Wrm], which it calls a Virus/Worm, as being present in psinfo.exe, which is a component of PsTools 2.24.
Prior to the 0602-3, 13/01/06 update, avast! did not detect this "virus/worm" and nor do any other scanning programs I use - Ad-Aware, Spybot, MSASW, ewido, Webroot Spy Sweeper, all with latest definitions.
It seems highly unlikely a program from a site of the eminence and standing of Sysinternals would contain a virus/worm.
Is this detection a false positive?
Any information regarding this matter would be appreciated.
.
0 -
Sorry, I did not realize there was a page 2 to the post already.
Just trying to help.
Quite understandable. I must admit to having done the same on occasion.
.
0 -
Heads Up, The Microsoft Windows Patch Is Now Availiable
As Shark007 reported above some hours ago.
A fix has been published from Microsoft for this issue.Get it here
shark
.
0 -
Thank you for the notification.
.
0 -
-
Thank you for the notification.
.
0 -
start -> run -> CMD
systeminfo
So it does! Thank you.
I took the "Systeminfo" of the post title - It was titled "Systeminfo in xp doesn't tell me my uptime" - to be an abreviation of "System Information" [With Win. XP, Run > winmsd > System Information System > Summary] not being aware Run > CMD > systeminfo gave various information about the OS - including that to which the writer referred.
0 -
Thank you for your reply.
I' m not particularly interested in what the system uptime is, as such, but concerned a System Information entry which should be present is not, if such is the case.
0 -
With Win. XP at System Information [Run > winmsd], System Summary, should there be an entry "System Up Time:"?
I've just read a post at another site which wonders why the entry reads "System Up Time: N/A", and what the remedy is.
On my system - XP Pro SP2 - there isn't a "System Up Time:" entry at all.
I hope someone can shed light on this matter.
.
Title Edited - Please follow new posting rules from now on.
--Zxian
0 -
F-Secure
Sunday, January 1, 2006
Bad behaviour Posted by Mikko @ 00:49 GMT
We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.
http://www.f-secure.com/weblog/archives/ar...6.html#00000758
.
0 -
F-Secure weblog Saturday, December 31, 2005:
First worm using the new WMF vulnerability has been found. This is what we were afraid of. Thankfully it doesn't seem to be too bad.We only have second hand reports of this case so far. It' a MSN Messenger worm sending links to an image file (link ending with "xmas-2006 FUNNY.jpg"). The link actually contains a web page with a malicious WMF file. F-Secure Anti-Virus does detect´ the WMF file in question with our generic detection.
Here's an alternative way to fix the WMF vulnerability.Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).
The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.
http://www.f-secure.com/weblog/
.
0 -
Firstly, most virus software will already protect you. This flaw was discovered on Nov 8th and I see that Symantec added this on Nov 11th. Chances are every virus app has this protection by now, it has been like 6 weeks.
The flaw might have been discovered then, but I understand it's only since 27-28th Dec. that there has been "Windows WMF 0-day exploit in the wild".
I think this article makes interesting and possibly helpful reading:
Days after the revelation of a flaw in Windows' handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available.At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.
AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:
* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster
These products detected fewer variants:
* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman
The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
The latter technique leaves users vulnerable to threats that the vendor has not yet identified and protected against. Mikko Hypponen of F-Secure, when asked about the matter, said, "Heuristic detection rocks."
After some concern was expressed about the efficacy of the workaround proposed by third parties and endorsed by Microsoft, it appears that it is basically effective at preventing exploitation in the most common circumstances, but not in all.
Anti-Virus Protection for WMF Flaw Still Inconsistent
.
0 -
Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
http://www.microsoft.com/technet/security/...ory/912840.mspx
The FAQ section of this MS Security Advisory has been updated (29 Dec-05).
.
0 -
Appaently not.
[Excerpt]
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005
Suggested Actions
Workarounds
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1.Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
http://http://www.microsoft.com/technet/security/advisory/912840.mspx
.
0 -
F-SECURE
Thursday, December 29, 2005
WMF, day 2
---
And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.
---
http://www.f-secure.com/weblog/archives/ar...5.html#00000754
.
0 -
There seems to be considerable concern about the recently discovered "Windows WMF 0-day exploit" as apparently "fully patched Windows XP SP2 machines machines are vulnerable, with no known patch."
At an Ars Technica forum I came across these 2 suggested solutions until an MS patch is avaiable:
1. Might be a good idea to go into Windows Explorer and disable all handling of WMF files.
2. Another solution until a patch comes out:
regsvr32 /u \windows\system32\shimgvw.dll
This will remove Windows Explorer's capability to display images (thumbnails of gif, jpg, and such, including WMF). Windows Picture and Fax Viewer won't work either, and some other stuff will break, like previewing desktop images in Display Properties... after a patch comes out, do this:
regsvr32 \windows\system32\shimgvw.dll
And things will be back to normal.
Would either of these suggestions be effective and are they really necessary?
.
Title Edited - Please follow new posting rules from now on.
--Zxian
0 -
Lavasoft acknowledged a false positive.
http://castlecops.com/postlite141976-.html
Latest Ad Aware definitions, SE1R84 28.12.2005, don't detect Spyware.AdvancedKeyLogger.
Issue resolved.
.
0 -
Just flush your memory periodically,
How is this done?
.
0 -
Further to my other posts, yesterday I started another of my - mothballed - computers. This machine, Xp Home Edit. SP2, has not been used since mid-July - 5 months.
I ran an Ad-Aware scan with the existing [old] definitions and nothing was found. I then applied all necessary MS updates from a CD, connected to the internet [dial-up], updated the A-V program, updated Ad-Aware [sE1R82 19.12.2005] and scanned the system with Ad-Aware.
The result was exactly the same as with the every-day-used machine:
Name:Spyware.AdvancedKeyLogger
Category:Spyware
Object Type:Process
Size:-
Location:C:\Program Files\Sygate\SPF\tse.dll
Last Activity:25-12-2005 1:53:46 AM
Relevance:High
TAC index:10
Comment:(CSI MATCH)
Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots.
Last Activity:25-12-2005 1:53:46 AM is interesting - the system hadn't been running for 5 months until 9:30:01 AM, 25/12/2005
[Event Viewer, System entry]
Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6005
Date: 25/12/2005
Time: 9:30:01 AM
User: N/A
Computer: WDGR
Description:
The Event log service was started.
I then subjected the system and tse.dll to the same tests and scans as reported before, with the same results - all clear.
The 2 computers referred to have never been connected or linked in any way. The Sygate installation on each is exactly the same - installed from the same CD to which I had written a copy of Sygate 5.5.2525 on 25/01/2004.
Whilst these results don't prove the Spyware.AdvancedKeyLogger detection is a false positive, I believe they further stregthen the evidence that such is the case.
.
0 -
I also posted to an existing thread at CastleCops where a couple of similar instances have been reported.
CastleCops have informed Lavasoft of the issue.
0 -
I notice in my Firefox 1.5 profile folder there is a file, bookmarks.html.sbsd.bak.
After a search with Google and a search of Mozillazine Forums I understand this to be a Spybot Search & Destroy backup file of my Firefox bookmarks. I posted on the Spybot forum 5 days ago but have not elicited a response.
When I delete the file it is recreated after ANY deletion made with Spybot SD 1.4.
What is the reason for this file as I've never used Spybot SD to delete a Firefox bookmark?
Why is this backup file placed in the profile folder of another application and not - if it need be created at all - in the Spybot SD Recovery folder, or some such similar?
I hope at least someone has knowledge of this matter as, thus far, I've had a singular lack of success in finding out anything at all.
.
0 -
... Ad-Aware... the software is known to flag legitimate applications as viruses and spyware.
Since my last message I have sent the "1 New Critical Objects found" file - Location:C:\Program Files\Sygate\SPF\tse.dll - for online scanning at Virusscan and Virustotal.
Each reported tse.dll to be uninfected.
Ad-Aware continues to give the notification " Scan Complete, Summary: 1 New Critical Objects found", but I think this is almost certainly a false positive.
Your assertion "the software is known to flag legitimate applications as viruses and spyware." seems highly likely in this case.
.
0 -
Since my previous message I have run the ewido anti-malware online scanner and it was completely clear.
The tse.dll file present has the VeriSign digital signature and certificate.
Still, to be on the safe side, I suppose it is best to uninstall and re-install Sygate?
.
0
Win32:Doomber-C [Wrm]
in Malware Prevention and Security
Posted
Will do.
.