[Dshield] WMF "wait for us" (Interjection)

David Taylor ltr at isc.upenn.edu
Sat Jan 7 12:25:53 GMT 2006


Once a system has been compromised like this and you want to have the system
integrity restored the only option is to do a format/rebuild from scratch.
Spyware/Malware removal tools should never be trusted to remove all evilware
an intruder could plant on the system.  If a new rootkit and/or keystroke
logger is circulating and the AV vendors and such don't have a way to detect
it then the user could be at risk. 


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshield
http://freenode.net/



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Bryan Hill
Sent: Friday, January 06, 2006 6:16 PM
To: General DShield Discussion List
Subject: Re: [Dshield] WMF "wait for us" (Interjection)


Thanks to DSHEILD for having this form... 

Here is what I found out from Microsoft Virus Support... 

How do I remove it?
The WMF by itself is very easy to remove.  It appears that by simply
clearing the temporary internet files that the WMF files can be easily
removed.  However, the threats installed through the WMF must be
addressed separately.
 
Using Microsoft Anti-Spyware and Windows Live Safety Center from Safe
Mode most threats can be removed.  You may be required to use other
tools and manual removal steps depending on what threats on present on
the system.  Please refer to the SpyAxe manual removal steps if the
customer is also infected with SpyAxe.
 
In addition to using these tools and steps it is recommended that you
also clear the contents of the following locations:
 
1.     C:\Windows\Prefetch
2.     Temporary Internet Files
3.     C:\Windows\Temp
4.     Empty the Recycle Bin
 
Should I assume if a customer has SpyAxe or SpySheriff it is a result of
this exploit?
No.  Both SpyAxe and SpySherrif are installed via many methods.  The
existence of these programs does not necessarily mean that the customer
has been infected with the WMF exploit.  By asking the customer probing
questions and identifying how these programs were installed, such as
locating a WMF in the Temporary Internet Files.

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Bryan Hill
Sent: Friday, January 06, 2006 2:06 PM
To: General DShield Discussion List
Subject: Re: [Dshield] WMF "wait for us" (Interjection)

I am sorry for introducing another variable into this discussion.
However, can someone kindly tell me if the patch fixes computers, which
are already compromised by the WMF file?

If not, can someone please point me to the right direction for a fix for
that is already thrashed !!!

Oh yeah!! Happy New Year... 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Mrcorp
Sent: Friday, January 06, 2006 1:36 PM
To: General DShield Discussion List
Subject: Re: [Dshield] WMF "wait for us"

Just for the record, I run ME still on one of my computers and have
never really had a problem
with it.  Also, XP home for some people I help, no problems.  Perhaps
its the administrators??  ;)

Mrcorp

--- Paul Marsh <pmarsh at nmefdn.org> wrote:

> 
> I'll second that besides ME, Home has got to be one of the flakiest.
> For entertainment upgrade Home to PRO and let the fun begin ;)
> 
> Thanx, Paul
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Aaron Lewis
> Sent: Friday, January 06, 2006 11:50 AM
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] WMF "wait for us"
> 
> I have to say that I have also found XP Home to be far less stable.
That
> could just be me and the systems I've experienced but that's my
feeling.
> I personally won't allow my family or clients to use XP Home in any
> environment. I just don't see the point of limiting yourself to save a
> couple bucks. Somewhere a few months later they'll want to do
something
> they can't.
> 
> Yes the support does end on Jan 1 2007 or Dec 31 2006 however you look
> at it.
> 
> -ADL
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org]On Behalf Of Johannes B.
Ullrich
> Sent: Friday, January 06, 2006 11:14 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] WMF "wait for us"
> 
> 
> Wes S wrote:
> > On 5 Jan 2006 at 8:55, Tim Hollebeek wrote:
> >
> >> Compared to the decision to completely discontinue security support
> >> for XP Home in less than a year (!), this decision is eminently
> >> reasonable.
> >>
> >> -Tim
> >>
> >
> > What?  I just bought my mom a XP home computer for Christmas.  Is
this
> 
> > really true?
> 
> Here is MSFT's comparison page:
> 
> http://www.microsoft.com/windowsxp/home/howtobuy/choosing2.mspx
> 
> The missing "networking features" are unlikely to be used in a home
> environment.
> 
> The only feature I would miss for home use is the encrypted file
system
> if you install it on a laptop. But for a desktop, thats probably less
of
> an issue (unless you have desktops walking away from you).
> 
> 
> 
> 
> 
> 
> 
> --
> 
> ---------
> Johannes Ullrich                        jullrich at sans.org
> Chief Research Officer                     (617) 639 5000
> http://isc.sans.org
> PGP Key: https://secure.dshield.org/PGPKEYS
> 
> "We use [isc.sans.org] every day to keep on top of  security at our
> bank" Matt, Network Administrator.
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> The information in this transmittal (including attachments, if any) is
privileged and
> confidential and is intended only for the recipient(s) listed above.
Any review, use,
> disclosure, distribution or copying of this transmittal is prohibited
except by or on behalf of
> the intended recipient. If you have received this transmittal in
error, please notify me
> immediately by reply email and destroy all copies of the transmittal.
Thank you.
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
 
This information may be legally privileged and/or is confidential, and
is intended for the use of the addressee named above.  Any other use is
strictly prohibited.  If you have received this communication in error,
please immediately notify me and destroy the communication.  Any
wrongful interception of this transmission is  prohibited and punishable
under federal law.

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
 
This information may be legally privileged and/or is confidential, and is
intended for the use of the addressee named above.  Any other use is
strictly prohibited.  If you have received this communication in error,
please immediately notify me and destroy the communication.  Any wrongful
interception of this transmission is  prohibited and punishable under
federal law.

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list