ZZZZZZZ
Premium
join:2001-05-27
PARADISE |  reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
OMG....the sky is falling!  |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
Highlghts ....Where did it all start and who was the Author ?
worm.whboy
Users will know their systems are infected by the worm.whboy if their executable file icons turn into images of pandas with burning joss sticks. [Photo: pconline.com.cn]
Five-star cyber worm comes
2007-01/17
»www.chinadaily.com.cn/citylife/2···5644.htm
Sophos downplays 'panda' virus
January 19 2007
»www.zdnetasia.com/toolkits/0,390···p,00.htm
Anti-Worm.WhBoy Software Put Into Trial Operation
March 30, 2007
Li Jun, the creator of the rampant computer virus Worm.Whboy, has produced an anti-virus software to kill Worm.Whboy and put it into use on a trial basis on some Chinese websites.
Li has also attached a letter to the software in which he apologizes to netizens for the harm this virus has done to them. However, Li has not given details on the dependability of the anti-virus software.
Originating in Wuhan, the virus received the first five-star severity rating ever issued by the Shanghai Information Technology Service Center because it could attack local area networks in government bureaus and companies and damage their programs and databases. The worm was most destructive about three months ago, but it is still causing problems.
»www.chinatechnews.com/2007/03/30···eration/
Mcafee Input...
The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.
This threat is considered to be a Low-Profiled risk due to media attention at: »www.chinadaily.com.cn/citylife/2···5644.htm
--
Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.
»vil.nai.com/vil/content/v_141204.htm
W32/Fujacks!htm
»vil.nai.com/vil/content/v_141161.htm
The computer may become slow and may occasionally reboot due the infection of the executable files.
For the W32/Fujacks!htm infected files, they will have an iframe in the last line of the files.
The W32/Fujacks virus will search several different vectors to find these type of files:
- htm
- html
- asp
- php
- jsp
- aspx
- EXE
- SCR
- PIF
- COM
So it can infect them.
****************************************
And if you want another good look at the chain of events..
Harry Waldron does an excellent job of that over at CofU site.
http://www.dozleng.com/updates/index.php?s=3ed00a07ba70bb9553f687452a5510c2&showtopic=13805
--
Gladiator Security Forum http://www.gladiator-antivirus.com/ Missing Kids http://www.missingkids.com/ |
|
SpannerITWks
Premium
join:2005-04-22 | reply to ModemHead
Re: Microsoft Security Advisory (935423) Vulnerability in Window
ModemHead
Thanx for the info !
Spanner |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
|  reply to astirusty
said by astirusty  :said by Name Game :You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week.
...
Until Microsoft has released the update, ...********************************** The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added ... I don't understand the connection. If MS has known about it for 3 months, and only now gets around to providing a fix; how are the pirated copies or never updated copies the problem. Maybe you mean that even though a fix (patch) is finally provided by MS, the pirated copies and non-updaters will still be a food-supply for Bot-nets? And worm in this case..
The problem out there is just like always.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| reply to Name Game
said by Name Game :You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week.
...
Until Microsoft has released the update, ...********************************** The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added ... I don't understand the connection. If MS has known about it for 3 months, and only now gets around to providing a fix; how are the pirated copies or never updated copies the problem.
Maybe you mean that even though a fix (patch) is finally provided by MS, the pirated copies and non-updaters will still be a food-supply for Bot-nets? |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA
1 edit | reply to daveinpoway
AV is (was) Avast. You're right that I could have installed the patch, but the lure of Blink protecting you against future zero-day stuff was strong.
Anyway, I am now using Blink Personal Edition, for which eEye offers a free 1-year license (I don't know if you can renew it for free when it expires, but I'll concern myself with that next April). So, I removed Zone Alarm Pro, Avast and some other anti-malware stuff from my system. One thing I see is that BPE scans much faster than Avast. Avast took about 2.5 hours to scan my C drive, but BPE does a full scan in a little more than an hour. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
F-Secure Lab
"Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.
You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week. The issue of the ANI vulnerability was actually brought to Microsoft's attention back in December 2006 according to their their Security Response Blog and they've been investigating and working on a fix since then.
Until Microsoft has released the update, you can count on us to continue adding detection for known versions of the ANI exploit and worms."
»www.f-secure.com/weblog/archives···00001159
**********************************
The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added to that are those who own the software but refuse to update..I see people out there not even with SP1 muchless SP2 for XP.
The media does not help on all this either..when it all started all they could lick their lips on..was reporting there was now a vulnerability/exploit for VISTA and rag on that for a few days.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Sindows 7
Read the ZERT explanation. You are right that there was a similiar exploit in 2005. ZERT explains very well how this new one came about and points out that Microsoft was derelict in duty in that this one could have been avoided if they had checked the entire code for ANI two years ago. |
|
Sindows 7
join:2006-09-13
Hope, BC
2 edits | reply to ModemHead
said by ModemHead :It appears that the ZERT site is mirrored (as per Bob above) and the cursor files that are embedded referenced in the POC test page do not exist on one of the mirrors (as of 10pm EDT). The working test page is: » zert.isotf.org/tests/testani.htmThe non-working test page is: » isotf.org/zert/tests/testani.htmThe non-working test page will never do anything but tell you that you are not vulnerable, even if you are. The ZERT people seem to be a little confused, I wouldn't recommend loading any patches from there at this time... Hey I clicked the links and IE crashed or closed.
I use .ani files for my mouse and cursors, I got them from win95 days...........what this all mean?
I thought this was discussed before too a couple years back.
»Do You Trust Your Browser...
»www.microsoft.com/technet/securi···002.mspx
and »Followup
--
ASUS A7N8X2.0 Dlx NFORCE2 Ultra400 Athlon XP 3200+ Barton @2.20 GHz Corsair TWINX1024-3200C2PT @2-3-3-6-400Mhz DDR DualChannel ATI 1650Pro 512MB SB Live! 5.1 Windows Vista 5744 IE 7 DI-604 Router Telus 6.0 APC BackUPS 450 |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
1 edit | reply to NICK ADSL UK
Apparently the critical update scheduled for April 3 is a patch for the ani exploit.
»blogs.technet.com/msrc/archive/2···423.aspx
It only stands to reason, as I just installed the zert patch.  |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to planet
Poor guy..hope someone lets him know the score with his AV and what to do next.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC | reply to NICK ADSL UK
Official patch due on Tuesday 3-Apr
»MS Security Bulletin Advanced Notification for 4/3/2007 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Name Game
Re: Microsoft Security Advisory (935423) Vulnerability in Window
I have been reading for five hours and almost all of that time has been on this! I still haven't read the F-Secure link..will do, but time for a bit of a break. Avira just updated and has a new engine and detects this now heuristically. (But their information pages are somewhat incorrect and some are in German only and Google translation is not very helpful).  |
|
planet
join:2001-11-05
Olmsted Falls, OH | reply to ModemHead
From Wilders:
»www.wilderssecurity.com/showthre···t=170459 |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| reply to SpannerITWks
said by SpannerITWks :What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ? The link you followed from the test page to get a flash-based page is isoft. The original site is isotf. Typo?
These ZERT folks sure do have a lot of problems. But they are linked from SANS. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
spanner,
correct..that is just their way of playing around to make people happy..so do not get the impression that activeX or flash is any part of what is out there.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Mele20
said by Mele20 :OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons. you already split hairs and did not even read the links muchless the f-secure write up at the first or second link posted when you finally do it will answer your own question. Settle down..and spend some time reading rather than training anyone how to post.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
SpannerITWks
Premium
join:2005-04-22
| reply to NICK ADSL UK
Tested with IE6 on 98SE -
No crash, no problems !
What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ?
As i don't have those things enabled by default, i didn't see anything.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| reply to Mele20
The cursor files (there are two) at ZERT are not quite so potent. They immediated crashed IE6 on my fully-patched XP Pro SP2 system. But they had no effect on Windows Explorer, even when I changed the extensions from JPG to ANI. No hung threads with open handles in Explorer either, as with the other POC from last night that you had so much fun with.
Also, this ZERT POC page has zero effect on Firefox 2.0.0.3. The CSS code is actually syntactically incorrect, so Fx doesn't even attempt to get the cursor files. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Name Game
OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons. |
|
