Unpatched Windows Vulnerability

Discussion in 'NOD32 version 2 Forum' started by minceypw, Dec 28, 2005.

Thread Status:
Not open for further replies.
  1. minceypw

    minceypw Registered Member

    Joined:
    Sep 25, 2005
    Posts:
    22
    Latest Secunia bulletin discloses new unpatched Windows vulnerability which is being 'exploited in the wild'.

    http://secunia.com/advisories/18255/

    Question. Pending a Windows Update, is this something NOD can protect us against?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Yep, NOD32 protects you from update 1.1342
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Excellent work Eset!
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Last edited: Dec 28, 2005
  5. que sera

    que sera Guest

  6. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    That video looks pretty nasty, and I use .wmf files all the time.
    Good thing I can count on NOD.
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Here's a fix. However there's no proof that this fix protect you from 100%.
    Just run.

    1) Close any Internet Explorer window.
    2) Start, Run and write: regsvr32 -u %windir%\system32\shimgvw.dll
    This will cause that this DLL that is the problem of this vulnerability will not be registered.

    If you want to register this DLL in question, just write: regsvr32 %windir%\system32\shimgvw.dll
    This fix was suggestes by Microsoft.

    Another suggested fix by Microsoft is available on:
    How to Configure Memory Protection in Windows XP SP2
    http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
    Published: December 9, 2004


     
  9. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    OK, but according to Marcos' earlier post, we're already protected by NOD32. Am I right?
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yes, of course. We're protected with NOD32, however more protection isn't a problem :)

     
  11. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    that's what I said, that's what I said!!! [Data - Goonies, Movie]
     
  12. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    No offence taken Bubba, but my question is still not answered. According to all that I have read in anti-spy ware literature, this is an extremely dangerous flaw in the MS code that allow almost anyone to infect one's computer and then download various trojans (and later viruses). I can understand that Nod32 can detect the exploit (and probably prevent the installation of trojans and viruses) but can Nod32 prevent the exploit itself?
    If everything I am reading on this forum is correct, then if you have Nod32 on your computer, MS does not need to do any updates and it is not necessary to unregister the shimgvw.dll to be protected.
     
  13. Joit

    Joit Guest

    do not forgett yes nod32 detected all of those and also other anti-virus but i do not think still that kaspersky can compaire with nod32.
    because kaspersky will always be nr 1 of hot top!
     
  14. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Joit, No offense intended, but it's not the right topic to discuss KAV v.s. NOD32.
    jayt, there's NO AV that can protect you from 100%. It's human impossible.
    Anyway take a look at the results from VirusTotal and two differents WMF exploits:

    Este es el resultado de analizar el archivo "exploit-wmf2.wmf" que VirusTotal ha procesado el dia 31/12/2005 a las 10:07:59 (CET).

    AntiVir 6.33.0.70 30.12.2005 no ha encontrado virus
    Avast 4.6.695.0 30.12.2005 Win32:Exdown
    AVG 718 30.12.2005 no ha encontrado virus
    Avira 6.33.0.70 30.12.2005 no ha encontrado virus
    BitDefender 7.2 31.12.2005 Exploit.Win32.WMF-PFV
    CAT-QuickHeal 8.00 31.12.2005 no ha encontrado virus
    ClamAV devel-20051123 29.12.2005 no ha encontrado virus
    DrWeb 4.33 30.12.2005 no ha encontrado virus
    eTrust-Iris 7.1.194.0 30.12.2005 no ha encontrado virus
    eTrust-Vet 12.4.1.0 31.12.2005 no ha encontrado virus
    Ewido 3.5 30.12.2005 no ha encontrado virus
    Fortinet 2.54.0.0 31.12.2005 no ha encontrado virus
    F-Prot 3.16c 30.12.2005 no ha encontrado virus
    Ikarus 0.2.59.0 30.12.2005 no ha encontrado virus
    Kaspersky 4.0.2.24 31.12.2005 Exploit.Win32.IMG-WMF
    McAfee 4663 30.12.2005 Exploit-WMF
    NOD32v2 1.1347 30.12.2005 variant of Win32/Exploit.WMF
    Norman 5.70.10 31.12.2005 W32/Exploit.Gen
    Panda 9.0.0.4 30.12.2005 Exploit/WMF
    Sophos 4.01.0 30.12.2005 no ha encontrado virus
    Symantec 8.0 31.12.2005 no ha encontrado virus
    TheHacker 5.9.1.064 29.12.2005 no ha encontrado virus
    UNA 1.83 30.12.2005 no ha encontrado virus
    VBA32 3.10.5 30.12.2005 no ha encontrado virus


    Este es el resultado de analizar el archivo "exploit-wmf3.wmf" que VirusTotal ha procesado el dia 31/12/2005 a las 10:12:36 (CET).

    AntiVir 6.33.0.70 30.12.2005 no ha encontrado virus
    Avast 4.6.695.0 30.12.2005 no ha encontrado virus
    AVG 718 30.12.2005 no ha encontrado virus
    Avira 6.33.0.70 30.12.2005 no ha encontrado virus
    BitDefender 7.2 31.12.2005 Exploit.Win32.WMF-PFV
    CAT-QuickHeal 8.00 31.12.2005 no ha encontrado virus
    ClamAV devel-20051123 29.12.2005 no ha encontrado virus
    DrWeb 4.33 30.12.2005 no ha encontrado virus
    eTrust-Iris 7.1.194.0 30.12.2005 no ha encontrado virus
    eTrust-Vet 12.4.1.0 31.12.2005 no ha encontrado virus
    Ewido 3.5 30.12.2005 no ha encontrado virus
    Fortinet 2.54.0.0 31.12.2005 no ha encontrado virus
    F-Prot 3.16c 30.12.2005 no ha encontrado virus
    Ikarus 0.2.59.0 30.12.2005 no ha encontrado virus
    Kaspersky 4.0.2.24 31.12.2005 no ha encontrado virus
    McAfee 4663 30.12.2005 Exploit-WMF
    NOD32v2 1.1347 30.12.2005 variant of Win32/Exploit.WMF
    Norman 5.70.10 31.12.2005 W32/Exploit.Gen
    Panda 9.0.0.4 30.12.2005 Exploit/WMF
    Sophos 4.01.0 30.12.2005 no ha encontrado virus
    Symantec 8.0 31.12.2005 no ha encontrado virus
    TheHacker 5.9.1.064 28.12.2005 no ha encontrado virus
    UNA 1.83 30.12.2005 no ha encontrado virus
    VBA32 3.10.5 30.12.2005 no ha encontrado virus



     
  15. Joit

    Joit Guest

    yeah yeah, but maybe this silly test kav did not detected 100% but only 80% and it is still good... But maybe next test of other variant maybe Kaspersky will detect 100% next time, and not NOD32 we never know it, so do not hessitate and say wow nod32 is the best one like usually also other av's detected it with 100%...
    and if you see the av-comp.... kav has win that test in many years now more then nod32...!
    bye and Happy New Year 2006!
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hopefully you will have the answer you are looking for in this ongoing thread now that you have asked your question.
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, NOD32 has something KAV will not have so soon as I know: very strong heuristics. :D This for sir_carew's post. ;)
     
  18. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yes, totally agreed.
    Eset had one of the best person in heuristics in the world.

     
  19. SaM_J

    SaM_J Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    13
  20. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Lots of good advice and breaking news on this WMF file exploit - as well as a nice fix for Kerio PFW 4.x users :D - can be found here http://sunbeltblog.blogspot.com/

    Great to see NOD32 at the head of the queue on protection for this - perfect way to end the year :cool:
     
  21. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
  22. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
  23. Jayari

    Jayari Guest

    what do you mean?
    that nod32 detected this new exploit Windows Vulnerability with their Hive without to add any samples??
    i do not think so.
     
  24. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    1) Hive isn't part of NOD32. Hive is part of Bitdefender. NOD32 engine is called ThreatSense.
    2) Yes, is true. NOD32 is able to detect new variants/modifications of known WMF exploits without the exact sample. Read at VirusTotal results I posted. variant of... That's mean detection for a new variant without an exact signature.

     
  25. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    My verison of NOD32 1.1347 doesn't detect the newest permutations (it pads the escape call with random data). Try the two files at the bottom of my test page; they'll initiate a windows shutdown and NOD32 won't say a peep. Ilfak's patch does stop the newest variants though (as one would expect).

    http://multitudious.com/test.html (nod32 will complain about the inlined images, but not the when meta2.wmf and meta3.wmf are clicked and launhed in fax/picture viewer - R1CH from SA created the images)

    Good link, hadn't seen that.
     
    Last edited: Dec 31, 2005
Thread Status:
Not open for further replies.