A REALLY SCARY Attack on Windows - New WMF Exploit Infects Fully Patched Windows XP Users Who Browse Contaminated Web Sites - And a Temporary Fix

RTA Information Technology, Tempe, Arizona

A brand-new, very dangerous, infection has been seen. You can catch this one by simply surfing to a contaminated web site or even viewing a photograph contained in an email. NO other action is required.

I've witnessed a video of a user browsing a "safe" web site and being attacked by a BANNER AD that's coming from an infected site. The malware instantly installs itself, adding numerous desktop links, affecting the screensaver, and lots of other nasties. It makes a MESS!

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

This will infect FULLY PATCHED XP, SP2 computers running Internet Explorer, running antivirus and antispyware software! It can also infect computers running other web browsers under some circumstances.

As always, damage could be limited if the user isn't an Administrator on his PC (either a Local or Domain Administrator). However, about 90% of users still have Administrator rights on their PCs, so this infection proceeds with full Administrator or System rights.

A temporary fix has been published:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL (include the spaces). A reboot is recommended. (It works post reboot as well. It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.
This disables your ability to view images using the Windows picture and fax viewer. You won't be able to preview images in Explorer, either.

Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.

A Free Way to Protect Your Family and Your Business Computers

RTA Information Technology, Tempe, Arizona

Microsoft's Shared Computer Toolkit for Windows XP is a free and little-known way to protect your family's or your business' computers from damage and unauthorized use.

Don't want your kids or your employees to browse the Internet? The Toolkit can restrict users, on a per-person basis, from accessing Internet Explorer, Firefox, or other browsers.

With the free User Restrictions tool, you can:
* Restrict access to Windows system utilities
* Prohibit access to important data
* Prevent users from running unauthorized software
* Simplify the start menu

Want to stop your kids or employees from making changes to menus or the desktop, from installing programs, or allowing malware to modify critical system files?

With the free Disk Protection tool, you can:
* Protect operating system files
* Clear changes when the computer restarts
* Automate critical and antivirus updates
* Choose to save changes to disk

These tools take advantage of the little-known local Security Policies available on Windows XP (both Home and Professional versions). Companies that use a Windows Server can create Group Policies to do the same thing. But home users or companies that don't have a Server can take easily take advantage of the local Security Policies with these tools.

Give these free tools a try. But do it NOW, BEFORE damage is done to your home or business computers. As I've noted in previous Blog commentaries, repairing a malware invasion on a PC can cause dangerous leaks of private information and can render your PC useless.

PART 1 - Dangerous Spyware - Why you shouldn't assume you got it all removed.

RTA Information Technology, Tempe, Arizona

This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks!

This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users).

Along with the spyware, he got the following:

His DNS settings were reset to a Russian DNS server.*
BackOrifice was installed.
Several Trojans that grab passwords were installed.
A fake antispyware application (UnSpyPC) was installed.
A Trojan that installs NEW spyware was installed.
Symantec Antivirus was disabled by a setting in the Registry.
Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry.

Routine scans caught the following:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

What a mess. Yuck.
We're copying data files to another PC and re-formatting.

==WHOIS results for 85.255.114.50 (the new DNS server)
==Generated by www.DNSstuff.com
==Location: Belarus
==Inhoster hosting company
==OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
----------------------------------------------------------------------------
*Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way:

The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever).
Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com".
The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process.
There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe.

Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site.

The Computer Backup Dilemma

RTA Information Technology, Tempe, Arizona

"What's a mother to do?"

That was the question raised by a decades-old television commercial, lamenting the dilemma of getting children to do what they should do to keep heathy and happy. Which leads us to computer backups.

Hard drives fail all the time. The mean-time-between-failure for recent hard drives is about eleven years. More or less. Practically speaking, the odds of a hard drive failing are about one-in-ten each year you use it.

What happens when your hard drive fails? At a minimum, it means getting the drive replaced and re-installing all your software. If you have any important data (like irreplaceable pictures of you departed grandmother or your family's financial information), then, hopefully, you have backups.

At worst, you lose everything. Do you have important data? Do you have backups of that data? Have you ever tested those backups to make sure they are good?

How much is your data worth to you? Hundreds of thousands of U.S. computer owners have to ask themselves that question every year. Their hard drives have failed or their operating system has failed and they have to decide how much they are willing to pay to recover their data.

Yes, data can often be recovered. The cost and difficulty depend on what failed. Recovering data, at a minimum, will involve removing the hard drive, installing it into another computer, and copying the data. That takes hours. Frequently, the problem is more serious than that. The drive's electronics have failed. The drive must be taken apart and repaired before data can be recovered. Even worse is when the drive's internal platter or head is damaged. Data recovery will cost thousands of dollars in that case.

Two Kinds of Backups

Want to save money and avoid the pain and sorrow of data loss? Make backups.

In general, you can make two times of backups: System and data. Frequent data backups are a must. The frequency depends on how often you change your data and how easy it is to re-create it. In other words, the frequency depends on how valuable the data is to you.

System backups allow you to easily recover your operating system, your applications, your settings, and your passwords. For many computer owners, system backups may take up more space than data backups, but need not be done very often. For many of us, a yearly system backup, which makes it easy to recover our basic PC and the applications we use most often, is adequate.

How to Backup

There are a multitude of ways to backup critical data. Copy data across a network to another PC. Copy the data to a CD-R or a DVD-R. Copy it to an external USB hard drive. Or put a memory card into your PC and copy your files to that. The best way for you depends on how much data you have to backup.

OpenOffice 2.0

RTA Information Technology, Tempe, Arizona

I'm trying out OpenOffice 2.0.

I'm running it inside of Virtual PC 2004, to avoid any conflicts with my main PC. OpenOffice, for those not into such things, is open source software. It's FREE!

OO 2.0 includes equivalents to Microsoft's Access, Excel, Word, PowerPoint, along with a drawing program and a mathematics program. It will open most Microsoft documents. Even Access 2003 tables. It will also do a "Save As...." into most Microsoft file formats (but NOT Access). The native format for saves is XML, which Microsoft is moving towards with MS Office 12, to be released in late 2006.



I just opened a pre-exisint PowerPoint 2003 presentation. It opened fine in "Impress", OO 2.0's presentation software. Impress looks a LOT like MS PowerPoint 2003! I was able to do a slideshow without a problem. I was also able to modify the document, save it in MS PowerPoint format, and re-open it on my main PC, using Microsoft's PowerPoint 2003.

Impressive, so far!

Vista Beta Preview

RTA Information Technology, Tempe, Arizona

I saw a first-person demo of Vista the other day.

One of the obvious gotcha's is that the high-end graphics version of Vista will require a 256MB graphics card. There aren't that many 256MB cards around. You can't even BUY 256MB versions of some fairly recent, higher-end cards, like the popular Nvida 6600GT.

The scaling graphics in the folder views is cool. But they've been doing that in Linux shells for years. DESQview-X, ca. 1993, had scaled graphics in windows.

It's too bad that MS didn't get the new WinFS file system ready in time. Some ar speculating that WinFS for Vista will be released in the first Service Pack. Whenever that will be.

It's unclear (even to Microsoft, apparently) exactly how many versions of Vista will exist. There will be at least two home versions, a business version, a multi-media version, and who knows what other versions. Not to mention both 32-bit and 64-bit versions. Plus the new Longhorn Server.

I DO have a Beta copy of Vista (I'm not sure which version it is), but I haven't gotten around to installing it anywhere. I may put in Virtual PC 2004, but I understand there are some work-arounds necessary to do that successfully.

Sony DRM Installs Root Kit with Spyware-like Properties

RTA Information Technology, Tempe, Arizona

Sony continues to make headlines with its Digital Rights Management (DRM) software. The most worrisome (to consumers) version is contained on 52 Sony copy-protected music CDs. Originally outed in Mark Russinovich's blog, without warning the software installs a root kit on Windows PCs, tells Sony every time a copy-protected song is played, and can easily act as a camouflage for viruses or other malware.

Sony has now recalled all CDs protected by this "XCP" version of copy protection, promising to replace any customer's CDs with non-copy-protected versions.

There are currently class action lawsuits against Sony in three states. Some larger companies have outlawed ALL music CDs from company computers.

Analysis:

There are major issues here, untested in U.S. courts.

1) How much disclosure is necessary in an End User License Agreement (EULA)? Is a software maker obligated to inform the purchaser that software being installed:a) Is NOT just a "music player", but is a root kit that modifies key system functions?b) Sends out encrypted information across the Internet without asking the user?c) Runs constantly on the computer, using up CPU cycles.d) Cannot be un-installed?e) Modifies system properties to hide certain files (possibly introducing a security hazard)?

2) How much liability does Sony have for damages caused by their software?
Sony's EULA limits damage to a maximum of $5. What if the DRM program, which installs as a root kit, directly causes data loss for a company? Or requires that a computer operating system be rebuilt?