Spy Sheriff - so how do people get infected w/ this thing?

[Larry Sabo]

[top-post corrected below]

Larry Sabo wrote: [snip]

Install Sunbelt Kerio Personal Firewall and modify the filter rules
per the article "Snort rules for WMF exploit updated" in
http://sunbeltblog.blogspot.com/. That seems to work very well.

Larry

Larry,
I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
ZoneAlarm slows down my boot time by a large amount. [snip]

Cool_X

Sunbelt Kerio Perosonal Firewal is full-featured for 30 days, then
becomes a freeware version with fewer features, according to Sunbelt.
The full-featured version is available for $14.95 USD, and costs $9.95
USD to renew at the end of the year. For a table showing the
differences between the free and paid versions, see...

http://www.sunbelt-software.com/Kerio.cfm

I use to use Zone Alarm years ago but abandoned it when it became so
bloated that it slowed my system to a crawl, especially during
booting. During the short time I was checking it out, I think I notice
that SKPF slowed my system perceptibly, but I really didn't use it
long enough to be sure.

If I were using Win98, I'd use SKPF with the filters mentioned in the
link above. Since I use Win2K,I rely upon the WMFHotFix instead.

Larry

 

[Cool_X]

Todd,
No, I really don't think I have that DLL because I keep getting the error message:

"RegSvr32

LoadLibrary("%windir%\system32\shimgvw.dll") failed .
GetLastError returns 0x00000485."

What missing backslashes are you talking about, and what else can I do?

Cool_X

 

[Cool_X]

Notan,
Why should Kerio be the only firewall that supports this? Won't other firewall makers follow
suit with updates to their products?

And won't Symantec release definitions updates that catch all of the variants, so once I
install them, I'll be immune to this virus just like any other?

Finally, why should I have to pay twice to get another firewall when I've already bought one
that was highly rated, and then not be able to use the one that I already bought?

There must be SOME alternative to this...

Cool_X

P.S. I'm still interested in discussing more about Usenet with you regarding your previous
posts on alt.comp.sys.laptops, but I don't want to stay OT there. Could you send me your
e-mail address (mine is already listed, you just have to remove the "SPAM")?

 

[Todd H.]

Todd,
No, I really don't think I have that DLL because I keep getting the error message:

"RegSvr32

LoadLibrary("%windir%\system32\shimgvw.dll") failed .
GetLastError returns 0x00000485."

What missing backslashes are you talking about, and what else can I
do?

the missing backslashes I mentioned were from the sans.org diary
(their editor keeps eating them evidently), but accordingly to the
error message you have them.

Check c:\windows\system32 directory and see if shimgvw.dll is there.
Maybe the mapping of %windir% is goofed up on your system? Dunno.

 

[Cool_X]

Leythos,
Well, you might as well be a M$ salesman, because you're saying almost exactly what I'd expect
to hear from them.

My response to your "solutions":

1. Win98 is only unsupported b/c M$ is EVIL and wants to use hackers to make more money in
"upgrades" by leaving previous versions to be riddled with viruses when it's probably even
easier for them to release patches for 9x kernels. Besides which, I figured that due to its
age, Win98SE would have all of its major bugs worked out, and wouldn't have to sustain a major
hit like this poses. Furthermore, there's still an OS/2 group in my city.

2. I already bought a good virus scanner and firewall (SystemWorks and ZoneAlarm Pro), so
until now, I've been relying on updated virus definitions. I thought that was a workable
solution until this, where a key part of Windows has been totally exploited.

3. No, why should I pay to make my PC even slower? I don't need the extra "features" (read:
bugs) of newer M$ OSs, and Win98 has all the functionality (plus extra compatibility) that I
need. Besides which, I'm not going to let an EVIL MONOPOLY dictate how I run any system, and
will certainly not be pressured into any "upgrade".

4. Oh, so you think I have all the money in the world? A year later, I'm still buried in
credit card debt paying for a $6000 USD (approx. conversion) theft that I couldn't afford to
insure, and I know quite a few people who aren't rich enough to have a fast enough PC to even
look at 2000 (like somebody I know who still has a P233). I'm just a student who's having to
work to pay for a drug-dealing gang's gains, so I still have my university tuition to have to
pay. Since I use laptops, the lack of compatibility and ease of use deters me from learning a
*nix OS, especially as I'm not a programmer and wouldn't enjoy having to recompile my OS.

I still won't use XP on principle that I completely disagree with M$ violating privacy with
WPA, and I'm not going to ask PERMISSION to use something that I had to PAY FOR and own the
rights to.

My question is, if security people have developed an unofficial workaround for the NTFS kernel,
then why can't they release one for the Win9x kernel? Why isn't there DLLs that I can
unregister, or "features" that I can disable?

I had plans to make all Win98 machines secure by not connecting them to the Internet, and to
keep anything that could run XP using 2000, switching to Macs when PCs are forced to use their
TCP chips, and then finally learning to use a friendly form of Unix when there was a real
purpose like CompSci courses, but this exploit (I again figured that since the majority of
people had bought into M$'s tactics to force "upgrades", that virus writers would target the
NTFS kernel which had more undiscovered holes, because it had become the common medium, and
therefore NTFS exploits simply wouldn't work with Win98). Because of my dire life situation,
these plans have remained daydreams, until I can find some charitable help to give me a hand up
in building my future, but that I've never been able to find, needed because I simply don't
have the means to fix damage done by other people which has become too much for me to control...

Cool_X

 

[Leythos]

Leythos,
Well, you might as well be a M$ salesman, because you're saying almost exactly what I'd expect
to hear from them.

Sorry you look at it that way, I did present the Linux solution, but you
must not have seen that part.

I'll comment in line with your reply:

My response to your "solutions":

1. Win98 is only unsupported b/c M$ is EVIL and wants to use hackers to make more money in
"upgrades" by leaving previous versions to be riddled with viruses when it's probably even
easier for them to release patches for 9x kernels. Besides which, I figured that due to its
age, Win98SE would have all of its major bugs worked out, and wouldn't have to sustain a major
hit like this poses. Furthermore, there's still an OS/2 group in my city.

No, Win98 is no longer supported because MS, being a free company, has
decided it does not want to invest money into OLD TECHNOLOGY. It would
not benefit them to continue to invest money into a product that does
not fully support the current direction/platforms of the company. Any
company in the Free world does this and should be able to do this, not
just Microsoft.

There is a Commodore group in my city, but it's not supported by
Commodore - so it's really meaningless to expect them to continue to
support a dead OS.

2. I already bought a good virus scanner and firewall (SystemWorks and ZoneAlarm Pro), so
until now, I've been relying on updated virus definitions. I thought that was a workable
solution until this, where a key part of Windows has been totally exploited.

The problem is that the exploits, even for Linux and it's apps, are
evolving, just look at the HPUX sites for their holes. The longer
Windows 98 is around the more chances of finding something that can be
exploited. It's your choice to use it.

3. No, why should I pay to make my PC even slower? I don't need the extra "features" (read:
bugs) of newer M$ OSs, and Win98 has all the functionality (plus extra compatibility) that I
need. Besides which, I'm not going to let an EVIL MONOPOLY dictate how I run any system, and
will certainly not be pressured into any "upgrade".

If Win98 has all the functionality that you need, then so does Fedora
Core 4 and the Windows Emulator. Since you've not specified what you
really need from the OS/Apps, I can tell you that Office versions
through XP will run on Linux Fedora Core 4 using a Windows Emulator
program - and they run quite well too.

You are NOT pressured to upgrade, you are only going to have to accept
that the FREE MARKET is a real thing, part of most every company, and
that you've decided to live with OLD technology that is no longer
supported - again, it's your choice.

4. Oh, so you think I have all the money in the world? A year later, I'm still buried in
credit card debt paying for a $6000 USD (approx. conversion) theft that I couldn't afford to
insure, and I know quite a few people who aren't rich enough to have a fast enough PC to even
look at 2000 (like somebody I know who still has a P233). I'm just a student who's having to
work to pay for a drug-dealing gang's gains, so I still have my university tuition to have to
pay. Since I use laptops, the lack of compatibility and ease of use deters me from learning a
*nix OS, especially as I'm not a programmer and wouldn't enjoy having to recompile my OS.

I didn't suggest anything concerning your finances, but my old P2
laptop, a not so old P3 and even my new Toshiba P4 3.2ghz laptop run
Fedora Linux just as well as Windows XP. Oh, and I didn't have to
compile anything, just download the FREE ISO images, burn them to CD and
it's installable for free.

I still won't use XP on principle that I completely disagree with M$ violating privacy with
WPA, and I'm not going to ask PERMISSION to use something that I had to PAY FOR and own the
rights to.

No one asked you to use it, but you want to stand the high ground and
then not give a vendor the same right? They have every right to stop
supporting a product that's been replaced for a LONG TIME.

My question is, if security people have developed an unofficial workaround for the NTFS kernel,
then why can't they release one for the Win9x kernel? Why isn't there DLLs that I can
unregister, or "features" that I can disable?

Windows 2000/XP are not even close to Win98/Me, it's not even close to
the same type of platform. Why would you expect a company to spend
thousands of $ on a solution for a discontinued and unsupported OS?

I had plans to make all Win98 machines secure by not connecting them to the Internet, and to
keep anything that could run XP using 2000, switching to Macs when PCs are forced to use their
TCP chips, and then finally learning to use a friendly form of Unix when there was a real
purpose like CompSci courses, but this exploit (I again figured that since the majority of
people had bought into M$'s tactics to force "upgrades", that virus writers would target the
NTFS kernel which had more undiscovered holes, because it had become the common medium, and
therefore NTFS exploits simply wouldn't work with Win98). Because of my dire life situation,
these plans have remained daydreams, until I can find some charitable help to give me a hand up
in building my future, but that I've never been able to find, needed because I simply don't
have the means to fix damage done by other people which has become too much for me to control...

If you can't handle the fact that it's not going to be supported, that
you already had this information available, and you don't want to do
anything to test/try Linux, then you're stuck. You can't blame any
vendor for failing to support an OS that you've already known was
unsupported and didn't take steps to upgrade/update to a supported OS.

Try Fedora Core 4, it's painless, at least it's been painless for us.

 

[Cool_X]

John,
I initially thought that article was a breath of fresh air...until I read the feedback.

I still feel screwed because I use IrfanView and M$ Office 2000, and from what I read, there's
no office suite, imaging program, browser or e-mail client that wouldn't be theoretically
vulnerable. So all that would have to happen is an infected WMF be renamed and then it would
automatically be viewed by whatever names itself the default. I just can't imagine living
without all of these programs...

Worse yet, it would be too easy to develop another variant of this virus that WILL hit every
Windows system, and not generate an error with attempts to read infected pictures.

This is why monopolization and unifying standards that M$ creates are truly dangerous (I
refused to use Windoze Media files and I have my firewall set to disable Windoze Media Player),
and to boot make M$ more money by destroying security, because they profit from sad schemes
like OneCare, not to mention their investment in "Trusted Computing" and the expletive DRM,
meaning that they'll still pursue invasion of privacy in a failed hope of security.

Cool_X

 

[John Hyde]

John,
I initially thought that article was a breath of fresh air...until I
read the feedback.

I still feel screwed because I use IrfanView and M$ Office 2000, and
from what I read, there's no office suite, imaging program, browser or
e-mail client that wouldn't be theoretically vulnerable. So all that
would have to happen is an infected WMF be renamed and then it would
automatically be viewed by whatever names itself the default. I just
can't imagine living without all of these programs...

Well, the only win 98 systems I run, while connected to the internet,
are not used in a way that puts them at risk.

While noodling around on the web last night, I saw that gibson research
(grc.com) offers a utility that is advertised as safely determining
whether a system is vulnerable. I know nothing more about it than that.
I know that some folks don't care for Gibson much, but AFAIK, he is a
"good guy."

JH

 

[Hoosier Daddy]

I think that if I don't have the DLL that the sites are asking me to unregister, then I'm
either not affected or the exploit targets different files. Could anyone clarify this one way
or another???

The unregistering of the dll only removes one vector into the vulnerable program, it
does not completely shut off all possible vectors. The vulnerability evidently is not
limited to one program, but to many programs that work to implement the vulnerable
feature in older Windows OSes.

 

[Hoosier Daddy]

While noodling around on the web last night, I saw that gibson research
(grc.com) offers a utility that is advertised as safely determining
whether a system is vulnerable. I know nothing more about it than that.
I know that some folks don't care for Gibson much, but AFAIK, he is a
"good guy."

There is a subtle difference between determining if a system is vulnerable to
a given exploit and determining if a system has a given vulnerability.

 

[cquirke (MVP Windows shell/user)]

On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X

If all 16-bit versions of Windows will be vulnerable

Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
family of 32-bit Windows that was developed to support Win32, Win16
and DOS programs, while the older NT family stressed reliability at
the expense of weaker Win16 and DOS support and heavier hardware
requirements. Because modern hardware meets NT's requirements and the
need for DOS and Win16 support has faded away, development of the
Win9x family ceased and NT was re-positioned to replace it as XP.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Todd H.]

On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X


Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
family of 32-bit Windows that was developed to support Win32, Win16
and DOS programs, while the older NT family stressed reliability at
the expense of weaker Win16 and DOS support

This is a useful and well stated distinction.

However, for colloquial use, I like to brush 95/98/ME under the
"unstable 16-bit goofiness" rug and avoid it all like the plague.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a useful and well stated distinction.

However, for colloquial use, I like to brush 95/98/ME under the
"unstable 16-bit goofiness" rug and avoid it all like the plague.

If you need a bigger brush just ask; I'd be happy to supply to such a just
cause
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDvGcb7uRVdtPsXDkRAtyIAJ4zaw2BIwrdkYT3f0+UEuRP0kqmLgCgijJ4
djXscYZGkB0ZZiur0/2meQ4=
=IVAM
-----END PGP SIGNATURE-----

 

[John Hyde]

There is a subtle difference between determining if a system is vulnerable to
a given exploit and determining if a system has a given vulnerability.

True. But for the OP, it might be helpful to know if vulnerable to the
given exploit.

 

[Marianne B.]

Hey cquirke,

Sorry to jump into this thread.
I just wanted to get your attention.
Please read my repost of a question to you in
microsoft.public.windowsxp.general
regarding a totally different subject. I think you missed it the first time
I posted it.
The subject line starts with "cquirke" and I am posting it at the same time
that I am
posting this message.

Thanks,

M.B.

 

[John Hyde]

the missing backslashes I mentioned were from the sans.org diary
(their editor keeps eating them evidently), but accordingly to the
error message you have them.

Check c:\windows\system32 directory and see if shimgvw.dll is there.
Maybe the mapping of %windir% is goofed up on your system? Dunno.

No, Win 98SE does not have this DLL.

Does not mean it's not vulnerable to the WMF hole, just not the shimgvw
exploit.

JH

 

[cquirke (MVP Windows shell/user)]

This is a useful and well stated distinction.

However, for colloquial use, I like to brush 95/98/ME under the
"unstable 16-bit goofiness" rug and avoid it all like the plague.

As you wish, but it's technically inaccurate and undermines
credibility. The "goofiness" you describe is often due to the
different design goals of Win9x (specifically, the need to allow
legacy software direct access to hardware) than any 16-bit
considerations, with two notable exceptions:

1) Resource heaps

Win9x uses new 32-bit resource heaps, but still locates some
structures within legacy 16-bit heaps to appease certain old apps that
broke the "use the documented API, idiot" rule. Reportedly, MS Excel
was one of these rogue apps.

So while it doesn't deplete heaps as fast as Win3.yuk may do, heap
issues remain a core weakness.

2) Shared VM for 16-bit apps

Win9x pre-emptively multitasks Win32 and DOS apps, each within their
own VM, but lumps all Win16 apps within a single VM that is then
pre-emptively time-sliced along with the others. Within this shared
VM, the Win16 apps are competitively (sorry, "co-operatively")
multitasked as they would be in Win3.yuk

There are two drawbacks to this. Firstly, poor multitasking is likely
between multiple Win16 apps within this VM. Secondly, any resource
heap leakage by any Win16 app cannot be cleaned up until all Win16
apps have ended, as only then can Win9x close the VM and recover
outstanding resource heap allocations (which Win3.yuk never did).


A lot of the 16-bit code within Win9x is finely-tuned, stable code
written in assembler. Re-using this code was a big factor in keeping
the OS small enough to fit within 4M RAM, and there would have likely
been more stability issues had an attempt been made to re-write this
code in 32-bit assembler.

Well-tested, stable code is something worth clinging to; failure to do
so has been mooted as the reason why Netscape died after they decided
to scrap everything they'd written and restart from scratch - costs
and testing time escalated beyond all expectations.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[cquirke (MVP Windows shell/user)]

On Wed, 4 Jan 2006 20:32:59 -0500, "Marianne B."

Hey cquirke,
Hi!

Sorry to jump into this thread.
I just wanted to get your attention.
Please read my repost of a question to you in
microsoft.public.windowsxp.general
regarding a totally different subject. I think you missed it the first time
I posted it.
The subject line starts with "cquirke" and I am posting it at the same time
that I am posting this message.

I'll look out for it, though that ng is so busy I might well miss it.
If I do, you can email it to me at:

cquirkenews at mvps.org

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Todd H.]

Well-tested, stable code is something worth clinging to;

Agreed. If only it were well tested and stable.

Are you hinting that Windows 98 was stable vs win2k/xp? If so your
experience is VERY different from my own.

 

[cquirke (MVP Windows shell/user)]

Agreed. If only it were well tested and stable.

*that* part of the code base was well-tested and stable ;-)

Are you hinting that Windows 98 was stable vs win2k/xp? If so your
experience is VERY different from my own.

No, not at all. NT is more stable than Win9x because it is designed
to a brief that allowed to it avoid the compromises that destabalize
Win9x. Regarding that re-used 16-bit code, the NT approach most
likely avoided the stability risks by *not* rewriting the code in raw
assembler, but doing this in a higher-level language instead, and
accepting the fact that more RAM would be required as a result.

The only place the <gasp> 16-bit OS code (as opposed to other factors
mentioned, such as legacy heaps, 16-bit app multitasking, and exposure
to raw hardware access) came up as a problem, waswhen running these
OSs on the first truly 32-bit-orientated processor, the Pentium Pro.

This processor was optimised for 32-bit code, and ran 16-bit code
pretty slowly. But just as the US software industry was trying to
roll out a brave new world (NT development, OS/2, Win9x), there was a
crisis in RAM pricing and availability - and suddenly, no-one wanted
to know about OSs that needed 16M RAM.

When comparing DOS/Win3.yuk, Win95 and NT, NT ran fastest on the PPro,
DOS/Win9x ran slowest (much as it would on Pentium) and Win95 fell in
between, due to that core 16-bit code.

When PPro design was re-released for general use as the Pentium II,
the 16-bit code handling had been speeded up; that, plus the dropping
of the planned 200MHz model, helped the PII to be "faster than the
PPro" (which otherwise out-performed PII on 32-bit code, due to the
full-speed interconnect between core and L2 cache)

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony