Thread: WMF Exploit question
View Single Post
  #9  
Old 01-05-2006, 06:35 PM
David H. Lipman
 
Posts: n/a
Default Re: WMF Exploit question
From: "Carey Frisch [MVP]" <mrxp2004@nospamyahoo.com>

| Visit the Windows Live Safety Center and use the Complete Scan option
| to check for and remove malicious software that takes advantage of this
| vulnerability.
|
| Windows Live Safety center
| http://safety.live.com/site/en-US/default.htm
|

Carey:

Please /* STOP */ suggesting that web site !

It is a Beta and has the lowest catch rate in the AV industry.

Yesterday I placed three WMF-Exploit file in a folder and scanned the PC. They were
detected but NOT deleted.

I gave it a Zoo and it had a 22% catch rate. I have been continually testing Windows Live
Safety and the results are poor to bad. I have been providing feedback to Randy Treit,
Microsoft, and it was based upon my feedback that the lastest version now allows you to scan
a particular location and not just all hard disks. However you STILL can't save or capture
a log of was was performed or found. You can't even copy and paste from the web site.

Just for this post, I tested a Zoo of infectors. 74 EXE only files. I made it *very*
simple and none were installed into the OS, all are just sitting in a folder and I scanned
that folder. ALL of these EXE's have been submitted to Microsoft via the submission email
address prior to this test.

In this test it found oly 43 of the 74 known to be infectors were found.thats only 58% !
If you are infected with the one of the infectors NOT recognized by the web site you are
screwed.

I ten took that same zoo of EXE file and scanned with the Kaspersky module in my Multi AV
Scanning Tool and the Kaspersky web based scanner. The results were 89% of the files were
deleted ! 8 were left. of those eight that were left, Kaspersky had their infections
detected BUT the file was not removed for some reason such as...

C:\1\CMDINST.EXE archive: Inno
C:\1\CMDINST.EXE/data0001 packed: UPX
C:\1\CMDINST.EXE/data0001 infected: not-a-virus:AdWare.Win32.CommAd.a
C:\1\CMDINST.EXE/data0001 disinfection failed: not-a-virus:AdWare.Win32.CommAd.a
C:\1\CMDINST.EXE disinfection failed: not-a-virus:AdWare.Win32.CommAd.a
C:\1\DH9013.EXE archive: NSIS
C:\1\DH9013.EXE/data0002 infected: Trojan-Clicker.Win32.Small.jf
C:\1\DH9013.EXE/data0002 disinfection failed: Trojan-Clicker.Win32.Small.jf
C:\1\DH9013.EXE disinfection failed: Trojan-Clicker.Win32.Small.jf
C:\1\MOMSON~1.EXE/bpkhk.dll infected: not-a-virus:Monitor.Win32.Perflogger.g
C:\1\MOMSON~1.EXE/bpkhk.dll disinfection failed: not-a-virus:Monitor.Win32.Perflogger.g
C:\1\MOMSON~1.EXE disinfection failed: not-a-virus:Monitor.Win32.Perflogger.g

Scanning the system using the McAfee and Sophos modules in my Multi AV Scanning tool removed
those remaining 8 files !

I know that you are a MS MVP. That does not mean that you HAVE TO only provide Microsoft
based solutions. If someone has a problem, and it is security related, please suppl the
BEST solution and not just a Microsoft solution.

If you are going to give out web sites of online anti virus scanners here is a list of tried
an true, well exstabled, anti virus vendors..

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

Symantec:
http://security.symantec.com/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

BitDefender:
http://www.bitdefender.com/scan/license.php

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Panda ActiveScan:
http://http://www.activescan.com/

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm






Reply With Quote