Win32/Exploit.MS04-028

Hi all,

Day before yesterday Nod32 popped up a warning about the above threat.

Here are log entries from Nod32;

Time Module Object Name Threat Action User Information
5/12/2007 14:39:40 PM AMON file C:\Users\Larry\Pictures\Neal\2003\Helen Shaffer's 90th Birthday Party at Sprout's\~onica J. Baker, Cathe M. Baker, & Neal A. Baker.tmp Win32/Exploit.MS04-028 trojan quarantined - deleted Dell-E510\Larry Event occurred on a new file created by the application: C:\Program Files\Windows Media Player\wmplayer.exe. The file was moved to quarantine. You may close this window.
5/12/2007 14:39:37 PM AMON file C:\Users\Larry\Pictures\Neal\2003\Helen Shaffer's 90th Birthday Party at Sprout's\~elen Shaffer, Ike Shaffer.tmp Win32/Exploit.MS04-028 trojan quarantined - deleted Dell-E510\Larry Event occurred on a new file created by the application: C:\Program Files\Windows Media Player\wmplayer.exe. The file was moved to quarantine. You may close this window.

Yesterday, same threat warnings, same logs about the same two files, which are photos.

I've run in-depth scan and normal scan with no results.

Nod32 is reporting that the files are created by Windows Media player. I don't get that either, except that I guess WMP 11 now indexes photos and may interact with Photostory 3.1.

I'm completely at a loss here as to what to do next. I have not deleted these two photos because Nod32 tells me that WMP has actually created the offending files as .tmp files and they are nowhere to be found.

Any enlightement would be very much appreciated!!!

Dell E510
2GB DDR2 SDRAM
250GB Seagate SATA HDD
Windows Vista Ultimate
Nod32 licensed

 

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx This may help

 

Hi monty64,

Thanks for the link. After reading the bulletin you linked, I'm even more confused. It references a couple dozen Microsoft programs with the vulnerability, none of which I have installed. I'm not sure I should install an update, for instance written for XP, on my Vista machine.

Is it possible I'm getting a false positive from Nod32?

Or perhaps there is a new vulnerability in the current batch of Microsoft products? Since Nod32 is reporting that the offending file is "created by Windows Media Player", maybe WMP 11 has a new vulnerability.

The fun just never stops!

 

The fact that it is from 2004 means that it doesn't affect Vista . However these temp files are suspicious . Just wait for a security expert or ESET Moderator to explain better .

In all cases you remained protected

 

Thanks for the reply HiTech boy.

Yes, I agree about the temp files.

So, as you suggest, I'll wait for advice from the experts.