Thread: WMF Exploit question
View Single Post
  #8  
Old 01-05-2006, 03:58 PM
Saucy Lemon
 
Posts: n/a
Default Re: WMF Exploit question
doofdaddy@gmail.com wrote:
> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

No one is sure at this point. The exploit has been known for a few days and
you can be sure the criminals and terrorists have been working around the
clock to take advantage of this one. It's a real plum because a computer can
be affected just by visiting a website etc. etc.

Keep your anti-virus as up-to-date as possible. You might consider, too
unregistering the shimgvw.dll DLL file if you are confident operating
computers. If this bothers you in any way don't do it. If this bothers you
in any way don't do it. If this bothers you in any way don't do it. But it
is a good idea:

Start > Run > type in:

regsvr32 -u %windir%\system32\shimgvw.dll

Hit Enter.

You can reregister it later. It will screw up the Picture Viewer a bit and
there might be anomolies with the display of some graphic files, but your
computer should run OK without it for a few days until the patch is
available. De-registering the DLL is not 100% protection, but doing so
presents any exploiter with a hurdle.

Later to re-register it type:

regsvr32 %windir%\system32\shimgvw.dll

instead. Further you might consider renaming the DLL in the
System32\dllcache folder and the System32 folder. Do the dllcache folder
copy first to bypass Windows file protection.Example of a rename is:

shimgvw.dll renamed to shimgvw.dll.bak

After you rename the one in the System32 folder, Windows File Protection
will kick in and ask if you are sure etc. etc.

This enables you to quickly restore the file. Renaming helps because an
exploiter might be crafty enough to re-register the DLL on the fly ....
tough - but possible.

If your computer is newer and has an AMD64 / Sempron or an newer Intel P4 /
Celeron then you probably have a CPU with the no execution bit. This means
that, combined with enabling DEP in Windows XP SP2, the exploit will fail
against your computer. Something to consider, eh? The no execution bit in a
modern CPU plus DEP in Windows XP SP2 blocks a lot of "buffer overflow"
vulnerability that so many exploits depend upon. For once, a *real* reason
to upgrade.


Reply With Quote