Saturday, September 30, 2006

Non-Microsoft Patch for Unsupported MS Systems Against VML Exploit

As this blog post was possible because of information from Freedomlist, it is only appropriate that the image used to accompany it also be from Freedomlist. The original image is worth checking out. See long-time Freedomlist member Curious John's original image of his favorite wild persimmon tree .

~~~~~~~~~~~~~~~

Ordinarilly, I do not recommend using a patch for a Microsoft Operating System that was not created and tested by Microsoft. The reason is that Microsoft has tremendous resources at hand for testing in countless environments that others do not have available. Even then, there is no way possible for Microsoft to test every possible configuration or software interaction. However, in this instance, I decided it is a good idea to at least let readers know of the availability of this particular unofficial patch.

As background, o
n October 10, Microsoft released Security Bulletin MS06-055 as a critical update. The purpose of the update was to fix a security issue identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. The problem is that there are still a fairly large number of Windows operating systems in use that have reached the end of "Life Cycle" where Microsoft will provide updates. (The information for all Microsoft software, games, tools, hardware is available in Product Life Cycle, which Microsoft reviews and updates regularly.)

ZERT (Zeroday Emergency Response Team) created a patch for Windows 9X, ME, 2000 (to SP3) and XP systems that have not updated to SP1, 1a or SP2 for the VML exploit.
Hat Tip to "Lost" at Freedomlist for the link to c|net News in "Security pros patch older Windows versions", By Joris Evers which reports:
"The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message."
Of course the standard warnings of keeping antivirus software updated and and using caution when browsing the Internet applies, as does not clicking on a link in an e-mail from an untrusted source. If you still do not feel your computer is secure, check to see if the version of your operating system has been tested, see ZERT's Libraries Tested.

Here are the instructions for those downloading the file for the older computers, by Plodr:
  1. Grab the download from here: http://isotf.org/zert/download.htm
  2. Unzip it and you'll get a ZPatch folder. Make sure you close IE and OE before you try to apply the patch.
  3. Click on the ZVGPatcher.exe which brings up a window
  4. Click on patch and close the window
  5. Open IE and go to http://www.isotf.org/zert/testvml.htm

As Plodr also noted:

"If IE crashes, then you are not patched. Believe me I've had my share of crashes in the last several days until I got both 98SEs and ME patched. "

Thank you Curious John, Lost and Plodr!


SunFlowers and SunJava Update

Having sunflowers in the garden add a bright spot of color and attract birds to feed on the seeds. However, having old versions of SunJava on the computer will attract nasty infections like Virtumundo (Vundo) or Winfixer, which require specialized tools for removal.

Current Release: Java Runtime Environment (JRE) 1.6.0_07 for Java SE 6.

System Requirements:
See supported System Configurations for information about supported platforms, operating systems, desktop managers, and browsers.

Running with less memory may cause disk swapping which has a severe effect on performance. Very large programs may require more RAM for adequate performance.

This installation requires Windows Installer 2.0 to be on your machine, or an Internet connection for it to be automatically downloaded. For more details, see the Troubleshooting the Installation section of JDK.

  • Note: Trying to install the Java SE Runtime Environment on a non-supported version of Microsoft Windows or on a machine that doesn't have a sufficiently up-to-date Service Pack will cause the installer to generate this warning: "We recommend that you do not install this Java platform for the following reasons: This Java platform does not support the operating system or operating-system service pack on this machine."
Update Instructions:

Let's walk through the steps, beginning with removing any prior versions of SunJava on the computer.

  1. Close any open programs you may have running, especially your web browser

  2. Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)

  3. Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)

  4. Click once on any item listing J2SE or Java Runtime Environment in the name. (Not every version of Java will begin with "Java" so be sure to read each entry in the list) Here is a sample of what you might find:

    Particularly vulnerable versions of Sun Java Runtime Environment (JRE) include the following and should be uninstalled as well as ALL other versions located:

    • JDK and JRE 5.0 Update 9 and earlier
    • SDK and JRE 1.4.2_12 and earlier
    • SDK and JRE 1.3.1_18 and earlier

  5. Click the Remove or Change/Remove button

  6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
    2
  7. Search 'Programs' and 'Application Data' and remove old version files manually.

    1. C:\Program Files
    2. C:\Documents and Settings\USERNAME\Application Data\

  8. Restart your PC once all Java components have been removed

  9. Reconnect to the Internet and go to Java SE Downloads.

  10. Scroll down the page until you reach Java Runtime Environment (JRE) 6 Update 7 as shown below and click on the Download button:

    Java Runtime Environment (JRE) 6 Update 7

    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
11. You will then find yourself on a page requiring acceptance of the License Agrement. Click in the circle next to Accept:


Required: You must accept the license agreement to download the product.

Accept License Agreement | Review License Agreement
Decline License Agreement

12. After accepting the license agreement, a new page opens with a table of platforms to select from. For Microsoft Windows systems, the first selection on the list is the one you want. It is recommended that you select the Windows Offline Installation.

Windows Platform - J2SE(TM) Runtime Environment 6
Download Now! Windows Offline Installation, Multi-language


jre-6u5-windows-i586-p.exe
15.24 MB

13. Save the update to your computer:




14. When installing, be alert to the options. If you do not have the Google Toolbar installed on your computer, you may find the offering illustrated below. UNcheck "Google Toolbar for Internet Explorer" if you do not want the toolbar included with the installation. There may be other pre-checked "optional" installs that you may also choose to uncheck.



15. Restart the computer to finalize the process after completing the download/install of the SunJava update.

16. Optional: Verify the version installed at http://www.java.com/en/download/help/testvm.xml

Following the above instructions will help keep your computer not only updated but also less vulnerable to infections inherent in older versions of SunJava.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, September 29, 2006

VideosCodec and More on Fake Codecs

Take a close look at the rose image, nestled among the greenery, accompanying this blog post. Is the rose real or fake? Difficult to tell, isn't it. In this case, just as in the fake codecs, it is fake.

Yes, I hear you. Of course you could tell the difference in your own garden but how many times have you seen artificial plants that look so real you had to examine them closer? It is the same with the fake codecs -- the most recent added to the list just today being VideosCodec. Others we have seen include VirusBurst, VirusBurster, MediaCodec, WinMediaCodec, X Password Generator, strCodec, pCodec, etc.

You may wonder why so much attention is given to the fake codecs by the security community. The reason is just this simple. They are not going away, as evidenced by the over 20 updates S!Ri has made to his SmitfraudFix© tool so far just in September. Besides, knowledge is power. The more information we can share, the better able you will be able to protect your computer. Just like the artificial rose, the fake codecs look real from the distance. Take this for example:





It certainly looks legitimate. Want to see what would happen if you clicked on the download link? Take a look at the page entitled, "General installation of Fake Codecs, or . . . how to get screwed the easy way" that Jahewi put together and made available at his Jahewi's Anti-Malware Information website. It is not a pretty picture, at least not if it is on your computer.

If you find a movie-clip that you want to see, be wary, very wary, if you get a message that Windows Media Player cannot locate the right codec and you are asked to download and install the codec in order to watch the movie. If you get taken in, instructions for removal are provided in "Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs".




Thursday, September 28, 2006

Microsoft Security Advisory 926043


The details of the advisory are below. The work-around, as always, keep your antivirus software updated and don't open unexpected attachments in e-mails. For this vulnerability, at least until the Windows Update on October 10, when using Internet Explorer, disable Active X.

To disable Active X:

-- Click Tools > Internet Options > Security tab > Internet Web Content Zone > Custom Level
-- In the Settings box, scroll to "Scripting" and Disable Active scripting and Scripting of Java applets.
-- Click OK twice.



This alert is to notify you that Microsoft has released Security Advisory 926043 – Vulnerability in Windows Shell Could Allow Remote Code Execution - on 28 September 2006.

========================================
Summary
========================================

Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.

We are working on a security update currently scheduled for an October 10 release.

Customers are encouraged to keep their anti-virus software up to date.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

========================================
Mitigating Factors
========================================
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

========================================
Additional Resources:
========================================

• Microsoft Security Advisory 926043 – Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/926043.mspx

• MSRC Blog:
http://blogs.technet.com/msrc/

LangaList Subscribers Have Arrived!

Having "Loaded the Code" for the Security Garden, allow me to take this opportunity to welcome LangaList subscribers.

As a bit of background, beyond "About Me", after being awarded Microsoft MVP in Windows Security, I decided that I wanted to do more for the "public community" than provide help in the forums. I considered several options. The main thing that held me back is that I couldn't see the fun or benefit in repeating what everyone else has already done. I go to a lot of security sites/blogs for research. After a while, they all look and sound alike. Rather, I wanted to add my own spin on what I report.

Then I saw a friend who retired a few years ago. She asked me about my garden. That night while outside walking around the yard with the dogs, it occurred to me that many people *recognize* me by my rose avatar. Then I recalled my friend's inquiry about my garden. The next thing I knew, I had a name and theme. My goal for this blog is to not only provide information on the latest vulnerabilities and security updates, but also security information, news and helpful tips that is not completely filled with technical jargon.

Now that you know a little more about me, take a walk down the Security Garden path. There is a bench waiting. Have a seat and take a look around.

My lunch break is over, so I have to get back to work. While I do that, after you finish here, there is another blog site you may want to check out -- the Langa Blog, the "
Official blog of the LangaList e-newsletter."



Wednesday, September 27, 2006

Mozilla Firefox 2 RC 1 Available for Testing


Announced at Mozillazine:
"Wednesday September 27th, 2006

Mozilla Firefox 2 Release Candidate 1 is now available for download. This preview of the next version of Firefox browser is aimed at Web Application Developers, testers and early adopters."

The updates from the Release Notes are reproduced below. There are some exciting features coming for Firefox users. Of course, all of your favorite extensions, plugins and themes from earlier versions of Firefox may not work properly.

As good as the new features may sound to Firefox users, don't discount IE7. Although not "apples-to-apples", check this comparison in features between IE7 and FF2 in "Internet Explorer 7 v Firefox 2.0", Published 22 August 2006 by Wil Harris.
  • "Visual Refresh: Firefox 2's theme and user interface have been updated to improve usability without altering the familiarity of the browsing experience. For instance, toolbar buttons now glow when you hover over them. We will continue to improve the look and feel throughout the release candidate process.

  • Built-in phishing protection: Phishing Protection warns users when they encounter suspected Web forgeries, and offers to return the user to their home page. Phishing Protection is turned on by default, and works by checking sites against either a local or online list of known phishing sites. This list is automatically downloaded and regularly updated when the Phishing Protection feature is enabled.

  • Enhanced search capabilities: Search term suggestions will now appear as users type in the integrated search box when using the Google, Yahoo! or Answers.com search engines. A new search engine manager makes it easier to add, remove and re-order search engines, and users will be alerted when Firefox encounters a website that offers new search engines that the user may wish to install.

  • Improved tabbed browsing: By default, Firefox will open links in new tabs instead of new windows, and each tab will now have a close tab button. Power users who open more tabs than can fit in a single window will see arrows on the left and right side of the tab strip that let them scroll back and forth between their tabs. The History menu will keep a list of recently closed tabs, and a shortcut lets users quickly re-open an accidentally closed tab.

  • Resuming your browsing session: The Session Restore feature restores windows, tabs, text typed in forms, and in-progress downloads from the last user session. It will be activated automatically when installing an application update or extension, and users will be asked if they want to resume their previous session after a system crash.

  • Previewing and subscribing to Web feeds: Users can decide how to handle Web feeds (like this one), either subscribing to them via a Web service or in a standalone RSS reader, or adding them as Live Bookmarks. My Yahoo!, Bloglines and Google Reader come pre-loaded as Web service options, but users can add any Web service that handles RSS feeds.

  • Inline spell checking: A new built-in spell checker enables users to quickly check the spelling of text entered into Web forms (like this one) without having to use a separate application.

  • Live Titles: When a website offers a microsummary (a regularly updated summary of the most important information on a Web page), users can create a bookmark with a "Live Title". Compact enough to fit in the space available to a bookmark label, they provide more useful information about pages than static page titles, and are regularly updated with the latest information. There are several websites that can be bookmarked with Live Titles, and even more add-ons to generate Live Titles for other popular websites.

  • Improved Add-ons manager: The new Add-ons manager improves the user interface for managing extensions and themes, combining them both in a single tool.

  • JavaScript 1.7: JavaScript 1.7 is a language update introducing several new features such as generators, iterators, array comprehensions, let expressions, and destructuring assignments. It also includes all the features of JavaScript 1.6.

  • Extended search plugin format: The Firefox search engine format now supports search engine plugins written in Sherlock and OpenSearch formats and allows search engines to provide search term suggestions.

  • Updates to the extension system: The extension system has been updated to provide enhanced security and to allow for easier localization of extensions.

  • Client-side session and persistent storage: New support for storing structured data on the client side, to enable better handling of online transactions and improved performance when dealing with large amounts of data, such as documents and mailboxes. This is based on the WHATWG specification for client-side session and persistent storage.

  • SVG text: Support for the svg:textpath specification enables SVG text to follow a curve or shape.

  • New Windows installer: Based on Nullsoft Scriptable Install System, the new Windows installer resolves many long-standing issues."


Microsoft Internet Explorer ActiveX Vulnerability - CERT SA06-270A


US-CERT (The National Computer Emergency Readiness Team) issued the following alert, SA06-270:

Microsoft Internet Explorer ActiveX Vulnerability

Original release date: September 27, 2006
Last revised: --
Source: US-CERT

Systems Affected
  • Microsoft Windows
  • Internet Explorer
Overview

A vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.

Solution
Microsoft has not yet released an update to address this vulnerability. Until an update is available, consider the following best practices:

Disable ActiveX

Disabling ActiveX will prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in "Securing Your Web Browser" and "Improve the safety of your browsing and e-mail activities."

Do not follow unsolicited links

Do not click on unsolicited URLs, including those received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Description

An attacker could exploit a vulnerability in an ActiveX control by convincing a user to visit a web site with Internet Explorer. The attacker could then take any action as the user, including installing malicious software and accessing sensitive personal information.

For more technical information, see Vulnerability Note VU#753044.

References
  • Securing Your Web Browser -
  • Vulnerability Note VU#753044 -
  • Improve the safety of your browsing and e-mail activities -
  • Microsoft Security Essentials -

  • A Not-So-Nice e-Card Yields a Nasty Infection

    I have a close friend that I regularly exchange e-cards with, sharing the latest news. We tend to use the same site all of the time. I do not, however, receive e-cards from someone I do not know. If I did, just like an e-mail, I would not open it. Based on a report at SunbeltBLOG, that is a good practice.

    It seems that there is an infector, not in the greeting card, but in the "flash player" update that the card site tells the recipient is needed to view the card. According to Alex's report in "Seen in the wild: Examle greeting card scam", if you install this fake flash player, you get two Haxdoor variants!
    "We were able to access the website where the malware author is counting the installs done using this scam, and we see about 2,500 installs so far on this. Maybe not a large number, but that’s 2,500 users who may be facing a very unpleasant time."
    Let's hope by alerting folks to this scam, 2,500 other users can avoid this nasty infection. If you get caught, go to one of the ASAP member sites for help. Better yet, stay safe. Just as we teach our children not to talk to strangers, don't open e-mails/e-cards from strangers.

    Tuesday, September 26, 2006

    Beware of Your Next Caller

    That's right. The next call shown on the caller ID of your telephone, whether it be land-line or cell phone, may not be from the person or number shown.

    SpoofCom.net has come up with an absurb program to sell what they call "Spoof Minutes" and change what callers see on their display when receiving a telephone call. Sounds good, right? A way to protect your telephone number? No, my friends, it is the crooks who will take advantage of this. How about spoofing the number of the police department, a goverment agency such as the FBI or Internal Revenue, American Express, or other credit card company or bank? Too many people are tricked into providing personal information as it is now. This is a potential time-bomb ready to explode in the faces of the innocent.

    Manipulate the Caller ID, that is sent from your phone. Appear to be anyone, anywhere, anytime. This service is compatible with nearly all phones, cell phones, and even the new VoIP phones!

    {Snip}

    No computer needed! Simply dial a secret 800# we will issue you. 1. Enter your pin. 2. Enter ANY Caller ID Number you wish to display. 3. Destination number. 4. Your call is connected using the specified Caller ID Number {Emphasis Added}

    Please consider filing a complaint with the Federal Communications Commission. This has to be stopped before someone is hurt.

    Important Update: Security Bulletin MS06-49 Re-Released

    The Microsoft Security Response Center Blog announced that MS06-049 for Windows 2000 users is being re-released. This is related to a vulnerability in Windows kernel that could result in an elevation of privilege.

    For more information, see Microsoft Knowledge Base Article 920958.

    Note: This is an important update for Microsoft Windows 2000 Service Pack 4.

    Known issues from KB 920958: After you install the original version of security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files.

    To resolve this problem, install the new version of security update 920958 (MS06-049) that released on September 26, 2006.

    ================================================
    Re-released Security Bulletins
    ================================================

    In addition, Microsoft is re-releasing the following security bulletins

    (NOTE: This list contains ONLY those products affected by the re-release and the severity of the vulnerability for those products affected by the re-release)


    Microsoft Security Bulletin MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

    Summary: Who Should Read this Document: Customers who use Microsoft Windows

    Impact of Vulnerability: Elevation of Privilege

    Maximum Severity Rating: Important

    Recommendation: Customers should apply the update at the earliest opportunity

    Reason for re-release: A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

    After you install security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes (KB) may be corrupted when you create or update the files. (See http://support.microsoft.com/kb/920958 for details)

    Information on these re-released bulletins may be found at the following pages:
    http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx





    Critical Update: Microsoft Security Bulletin MS06-055


    Rather than wait until the next scheduled update on October 10, Microsoft released Security Bulletin MS06-055. This is a highly critical update. A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it.

    Note: If you have applied any of the third party fixes for the VML remote code vulnerability, I would suggest that you reverse those changes before installing this update.

    ================================================
    New Security Bulletins for September 26 2006
    ================================================

    Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:

    Microsoft Security Bulletin MS06-055 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)

    Summary: Who Should Read this Document: Customers who use Microsoft Windows

    Impact of Vulnerability: Remote Code Execution

    Maximum Severity Rating: Critical

    Recommendation: Customers should apply the update immediately

    The summary for this bulletin can be found at the following page:

    http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx




    Monday, September 25, 2006

    Opening the Gates

    As much as parents would like to keep the gates locked and their children safely inside, that will keep their children safe. There comes a time when we have to let them go out on their own. That is not to say that we should merely open the gates and push them out to fend for themselves. It is parents responsibility to provide the necessary safety training.

    Safety applies to the Internet as well as crossing the street and not taking candy from strangers. It is important to teach them about the potential dangers on the Internet, particularly if they are going to be visiting sites like
    MySpace. In the event you have been living under a rock, the least of the issues being "Adware Spreads Through Myspace", where
    "groups of websites that entice MySpace users into placing videos onto their profile pages (under the guise of 'free content'), without disclosing a key piece of information that might make them think twice. When someone visits one of these profiles carrying the video, a DRM acquisition box pops up and attempts to install Zango adware."
    There is a lot more on Zango. You can find links to many of the articles at Certified Bug. For parents, however, adware is the least of their worries. As reported by Reuters in "MySpace, Seventeen launch parents education plan"
    "In September, a 40-year-old Utah man was charged with attempting to lure a 13-year old girl on MySpace to have sex with him in New York.

    The girl's father, who installed software that monitored his daughter's online activity, intervened before the rendezvous occurred, according to reports in local Chicago newspapers."

    There may be situations where monitoring a child's activities on the internet is appropriate. I don't, however, see monitoring as a solution. It certainly will not help when your child is at a friend's house or at the public library. Talk to your children and explain what can and has happened to others.

    Also indicated in the above-referenced "Reuters" article is notice that MySpace is announcing a partnership with Seventeen magazine, the National School Board Association and the National Association of Independent Schools to provide tips to parents on protecting their children online. The tips are on the site now, although the link is buried on the bottom of the page. In addition to SafetyTips for both parents and children, there are links to websites with more information. There is also a PDF with additional infomation from "Seventeen" for parents.

    When my grandgirl became a teen, I included with her birthday wishes a collection of links to parental control and child safety websites. Parents, please teach your children safety on the Internet. Talk to them about what can happen -- and has happened -- to other children. When you open that gate, make sure they are prepared to cross the Internet highway alone.





    Sunday, September 24, 2006

    Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs

    It seems that the writers of the rogue applications are on a spree. The latest, WinMediaCodec was discovered on a few days ago. (See what it looks like at the Sunbelt Blog). Fortunately, by Saturday morning, S!Ri, the developer, had already updated SmitFraudFix. Good thing too because within an hour I was helping someone with that infection. It was also fortunate that the person found the help site because his/her friends said there was no way to remove it and a clean format was the only solution. Rest assured, if you are unfortunate enough to be infected by one of these rogues that there is help available.

    I have seen a lot of search results locating this blog after searching Google for VirusBurst and the like. As a result, it is time to provide the preliminary steps for removing the likes of VirusBurst, MediaCodec, WinMediaCodec, as well as future iterations of what we generically refer to as the "SmitFraud" infection. Understand that this will provide relief, but additional steps will likely be needed to completely remove the the debris. That is where the security help forums come into play. You can find me and others at LandzDown and Freedomlist as well as others in the community at the various ASAP member sites.

    You might find digging out dandelions an easier task so roll up your sleeves and get to work!

    A. Start by downloading and installing the following files:
    1. Download HijackThis© from: http://www.thespykiller.co.uk/files/HJTsetup.exe .

      1. At the download prompt, choose "Save".
      2. Navigate to the saved file and double-click the installer, HJTsetup.exe.
      3. HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
      4. When the installation is complete, exit HijackThis.

    2. Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

      Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user (See http://www.beyondlogic.org/consulting/processutil/processutil.htm).

    3. Download ewido anti-spyware from HERE. Save the file to your desktop so you can locate it.

      1. Locate the ewido anti-spyware icon on the desktop.
      2. Double-click the large yellow "e" ewido icon to launch the set up program.
      3. The installation will require a restart of the computer.
      4. Launch ewido to update to the latest definition files.
      5. On the main screen select the "Update" icon
      6. Click "Start Update". The update will start and a progress bar will show the updates being installed.
      7. If you have problems with the updater, you can use this link to manually update ewido -- ewido manual updates

    4. Setup ewido as follows:

      1. Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
      2. In the Settings screen click "Recommended actions" and then select "Quarantine".
      3. Under "Reports"
        • Select "Automatically generate report after every scan"
        • DE-Select "Only if threats were found"
        • close ewido
    B. Restart your computer in Safe Mode.
    1. Wait 30 seconds, and then turn the computer on.

    2. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

    3. Ensure that the Safe Mode option is selected.

    4. Press Enter. The computer then begins to start in Safe Mode.

    5. Login on your usual account (If you need further assistance with Safe Mode, see Symantec).
    C. Scanning and system cleaning with ewido.
    1. Lauch ewido-anti-spyware by double-clicking the icon on the desktop.

      IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

    2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"

    3. ewido will now begin the scanning process. Be patient as this may take a little time.

    4. While scanning, ewido will list any infections found on the left side.

    5. When the scan is completed, the recommended action should be set to Quarantine. If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.

    6. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

    7. Close ewido.
    D. Navigate to the SmitfraudFix folder on your desktop.
    1. Double-click smitfraudfix.cmd file to start the tool.

    2. Select option #2 - Clean by typing 2 and press Enter.

      Note:
      running option #2 on a uninfected computer will remove your Desktop background.



    3. Wait for the tool to complete and disk cleanup to finish.

    4. You will be prompted : "Registry cleaning - Do you want to clean the registry?"




      1. Answer Yes by typing Y
      2. Hit Enter.

    5. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.

      1. If prompted, answer Yes to the question "Replace infected file?" by typing Y
      2. Hit Enter.



    6. A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.

    7. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

    That will have taken care of the majority of the problem. However, there are likely remnants or other problems caused by the rogue installation. It is advisable to go to one of the security sites for a reviw. Its easy to register. Then create a topic in the appropriate forum for HijackThis logs. Be sure to include a copy of the rapport.txt, ewido log and a HijackThis log.

    (Do NOT attempt to remove anything with HijackThis on your own. It is very powerful and removing the wrong thing could easily cripple the computer.)


    Note: Special thanks to S!RI for not only creating SmitFraudFix but also for keeping it updated.



    Saturday, September 23, 2006

    A New Vista

    Its getting closer every day. It was only a few days ago that it was reported at the Windows Shell Blog that they are Putting the Final Touches on Windows Vista's "Fit-and-Finish", explaining the balancing act involved in making the decsion on what to change in the UI (User Interface). Even a small change can have a major effect not only on the users but also on the product support staff.

    Yesterday evening, however, things went a step further. The Windows Vista Blog Team reported the release of Interim Windows Vista Build 5728:

    "The build is available to the public.

    Here's our official message to our testers:

    Updated Test Build Available (September 2006): Microsoft is looking for volunteers to help test an updated, interim release of Windows Vista. This build (5728) has a number of improvements and updates from RC1, but has not been put through the same internal testing process as RC1. We are making this release available for a limited time only in order to get broad distribution and testing in a variety of PC configurations. Click here if you are interested in testing this release. Otherwise, please use the links below to download RC1 (build 5600)."

    {Snip}

    "One more thing to note: users of Toshiba models M400, M4 and M5 should do a clean install (not upgrade) of this build."

    All that has led to even more developments. There is now a forum where Vista testers can post their "Windows Vista Rants & Raves". One feature that I am sure everyone is going to rave about is the "Ability to Mute the Windows Vista Start-up Sound". That's right, Microsoft listened when customers said they want to be able to disable the default start-up sound that plays during boot-up of Windows Vista. Now "Play Windows startup sound" can be unchecked in the Sound control panel.

    How about the New Vista Nature Wallpapers? Nice, but I'll hold out for the roses.

    Friday, September 22, 2006

    Security Cadets Admitted to ASAP

    So, what is ASAP?
    ASAP stands for the Alliance of Security Analysis Professionals.


    ASAP started out as a small band of security sites under siege, and is rapidly expanding to include the "Best of the Best" the Internet Security Community has to offer.

    ASAP is made up of website and forum owners and administrators, forum and site staff, individuals, companies and various organizations dedicated to providing security related support to computer end users.

    ASAP is a joint effort designed to assist helping end users with as seamless a process as possible by using methods such as cross-referrals, multiple product support services, easy information access, and cross referencing/verification.

    ASAP goals are:

    • To ensure a high standard and quality of security support no matter where you seek help.
    • To recommend in an equal and fair manner products available to keep your computer clean and safe, regardless of pricing.
    • To ensure that end users are not affected by so called "product wars" and unfair marketing tactics, which have plagued several industries in recent years.

    ASAP ensures that quality support and assistance will be freely available - knock one of the support networks out and another will pick it up immediately. In addition, pooled resources permit the ability to provide support redundancy, thereby adding an additional layer of protection against Internet based threats.

    If you see the ASAP logo or banner used by a site, bulletin board, or person, you can be assured that you're getting the best support and assistance possible, as the combined efforts of all ASAP members are involved in helping everyone, and ASAP won't give up until your important investment is safe and clean.

    ASAP is a non-profit, volunteer network.

    I see ASAP as more than that what is written in the ASAP Charter. The Security Garden is about computers, security news, information, tips and more. That is also what the ASAP Member sites provide.

    If you are a regular reader of this blog, you have read about Virus Burst and other rogues that have infected people's computers and attempt to lure them into purchasing the software to remove the nfection the rogue installed. Like Security Cadets, ASAP member sites provide help in the form of log analysis to provide suggestions on how to remove such infections.

    The help does not stop at cleanup either. Analysts check the logs for an indication of antivirus software and firewall on the computer. Users are also encouraged to check for Microsoft Updates and receive suggestions on other security software that will help them surf safely.

    Should you experience problems with your computer, rest assured that you will get the best help available if you visit an ASAP member site.


    Congratulations, Security Cadets!


    The Leaves Aren't the Only Things Changing

    If you have been following Microsoft for any period of time, you have also been reading what Mary Jo Foley had to say at Microsoft Watch. As of two days ago, you will now be able to catch Mary Jo Foley at "ZDnet" where she is blogging "All About Microsoft". In her initial posting, Mary Jo wrote:
    "On this new site, I will weigh in on Microsoft news of interest to businesses of all shapes and sizes. Expect to read about everything from Windows Vista and Office 2007, to Microsoft Dynamics and Microsoft “Live.”"
    Perhaps more interesting is what she said in "Mary Jo Foley: The Exit Interview" at "Robert McLaws: FunWithCOding.NET - Windows Vista Edition":
    ". . . you can expect to see lots of Microsoft news, rumors, tips and pointers to the most interesting Microsoft stories of the day from all around the Web. I also have some other interesting new projects in the works, so stay tuned :)."
    I am anticipating that this will be an interesting change and look forward to reading more on Mary Jo Foley's outlook, as evidenced by a recent post, "The pundits are wrong: Vista is moving full-steam ahead".


    .

    Tuesday, September 19, 2006

    October 10 Ends Support for XP SP1 and SP1a

    Just as the seasons change, now in the Northern Hemisphere from summer to autumn, so does the support for the software we have on our computers.

    Quite some time ago, Microsoft published the "Life Cycle" for their products. The information for all software, games, tools, hardware is available in Product Life Cycle, which is reviewed and updated regularly.

    In January of this year, Microsoft announced that support was extended from September to October for XP Service Pack 1 (SP1) and 1a (SP1a). As published in Microsoft Help and Support:

    Windows XP SP1 and SP1a support ends on October 10, 2006

    Support for Microsoft Windows XP Service Pack 1 (SP1) and Service Pack 1a (SP1a) ends on October 10, 2006. Microsoft will end support on this date. This also includes security updates for these service packs. Microsoft is providing final notifications to customers regarding the end of support for these products.
    Service Pack 2 (SP2) for Microsoft's XP Operating system was released two yearsago. SP2 included significant security enhancements. So why is it a surprise that support for SP1 and SP1a is ending? Why is it that I am still seeing countless logs in the forums either without any service pack installed or still at SP1? There is no time to delay. Information on updating to XP SP2 is available at the link below.

    Please don't delay.

    The SP2 upgrade is free and includes not only enhancements to the XP operating system but, more importantly, it incorporates better protection against viruses, hackers, and worms than SP1 and SP1a.

    XP SP2 Update Information

    Order Windows XP SP2 on CD


    Microsoft Security Advisory 925568 Released

    Microsoft has issued Security Advisory 925568 in which a vulnerability in vector markup language could allow remote code execution. As reported at the Microsoft Security Center Blog:

    ". . . this exploit code could allow an attacker to execute arbitrary code on the user's system. We also want you to know that we’re aware that this vulnerability is being actively exploited. Thus far the attacks appear targeted and very limited. We’ve actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks."
    ========================================
    Summary
    ========================================

    Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML). Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

    A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

    ========================================
    Mitigating Factors
    ========================================

    • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.

    • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    • In an e-mail based attack of this exploit, customers who read e-mail in plain text are mitigated from this vulnerability, instead users would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability.

    • By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default.


    ========================================
    Additional Resources:
    ========================================

    • Microsoft released Security Advisory 925568 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/925568.mspx

    • Microsoft Knowledgebase Article 925568 - Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    http://support.microsoft.com/kb/925568

    • MSRC Blog:
    http://blogs.technet.com/msrc/
    Note: check the MSRC Blog periodically as new information may appear there.

    Adobe Flash Player Security Bulletin - Critical

    Adobe released a Security Bulletin, identifying critical vulnerabilities in Flash Player 8.0.24.0 and earlier versions. According to Adobe, the vulnerabilities
    "could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF file must be loaded in Flash Player by the end user for an attacker to exploit these vulnerabilities."

    Details and upgrade information are available at Adobe Support.

    Hat tip to "Eric The Red" for the information.

    Friday, September 15, 2006

    Are you ready for Vista?

    Have you been anxiously awaiting the opportunity to experience Vista? If so, the Windows Team Vista Blog reports:

    RC1 CPP Now Available to General Public

    A quick update on CPP status:

    Windows Vista RC1 is now publicly available. This means that 32- and 64-bit downloads for all three languages (English, German, and Japanese) are live. If you did not receive and email in the previous wave, you can now both download the ISO image and request a product key (PID).

    First and foremost, if you are not "computer saavy" or if your computer is "mission critical", I would advise you to wait until the final product release. Otherwise, you can find the necessary information at the Windows Vista "Customer Preview Program" page.

    Whether you are ready now or anticipating an upgrade after final release, find out if your Windows PC can run Windows Vista with the Windows Vista Upgrade Advisor RC, which works with 32-bit versions of Windows XP and Windows Vista. Note, however, that it does not work with Windows 98, Windows 2000, or Windows XP Professional x64 Edition.

    From there, go to Upgrading Planning for Windows Vista to find out if your system can be upgraded to Vista or if a clean install will be required.