 jbobReach Out and Touch SomeonePremium
join:2004-04-26
Little Rock, AR | reply to jp10558
Re: Windows MetaFiles still vulnerable That would seem likely but who knows. I have read that BOClean already had this trojan covered over a month ago. If it all starts with a simple trojan being downloaded then that would seem simple enough to take care of but I'm not so sure that is all that is happening. Does the exploit cause the trojan download to be attempted using ftp or is the exploit code opening up another hole?
I am reading this from a user on GRC: The question was asked, "Now all we need to find out if the action of right clicking it can infect the system?"
"Said by Not John Lennon"
It appears it can. On my test system so far, all I can get it to do is crash & restart the shell. (Explorer.exe) It doesn't seem to actually infect the system & it's doing it (restarting explorer) just by pointing at the file. No chance to right click, left click, swear at it or anything else. Explorer immediately crashes & restarts. Weird. On another system, it infected it when the file was right clicked. Both systems XP Pro.
I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files.
|
|
 redxiiPremium,Mod
join:2001-02-26
Sherwood, MI
 ·Clear Wireless
 ·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
2 edits | said by jbob:I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files. Ok in short unless one unregisters shimgvw.dll (doing so, I didn't require a restart) it is going to execute code. I told Irfanview to register WMF and EMF and they were still able to execute code even outside of Irfanview.
Again, it only runs with the same privileges as the user.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. |
|
|
|
prana
join:2005-03-22
Australia | reply to jbob
Right click infected my sandbox.
I have posted all samples and related DLLs to an AV vendor for signatures.
|
|
LibraPremium
join:2003-08-06
USA
kudos:1 | reply to redxii
said by redxii:Again, it only runs with the same privileges as the user.
REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra |
|
redxiiPremium,Mod
join:2001-02-26
Sherwood, MI Reviews:
·Clear Wireless
·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
1 edit | said by Libra:REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra You should be fine, but explorer will keep crashing and you wouldn't want to risk accidently running it in the admin account. unregister it anyway until it is fixed
The reason I mentioned that is because Security Focus claims that it will run with SYSTEM privileges, regardless of the logged on user's privileges. However, I am unable to find such behavior. It always runs with the user's privs.
Can't comment on 98SE. I don't have a virtual machine for that even though I have the install CD.
Windows 2000 SP4 didn't seem to have any WMF/EMF associations or the picture viewer that XP/2003 has.. so it is safe from automagic execution in explorer or on the web. |
|
LibraPremium
join:2003-08-06
USA
kudos:1 | REDXII1234,
Thank you very much. I unregistered shimgvw.dll in the XP computer.
I checked file types in 98se and I didn't see any WMF or EMF types. I also searched for the shimgvw.dll and nothing came up.
I imagine when MS makes a fix we should first register the file and then get the update - does it matter?
I appreciate your help.
Sincerely, Libra |
|
