Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

From: "Stephen Howe" <sjhoweATdialDOTpipexDOTcom>
Date: Fri, 30 Dec 2005 00:30:46 -0000

> As an addendum. This exploit is being used right now. I just received a
> customer's computer that was infected with Spy Sherriff by this method.
> The exploit was in a spam email. Turn off the preview pane in OE (always a
> good idea) and turn off the Windows picture and fax viewer until Microsoft
> has a fix.

It certainly is. I watched it in action. One inadvertent web site visit, a
popup box where I observed "WMF" in title and it closed in 1/2 second, and
yup, mscornet.exe and a tmp file in the windows system32 directory. 1 second
later, ZoneAlarm kicked in asking whether I should allow an unknown program
to send packets over the Internet (denied).

Time to reboot in Safe mode and disinfect and kick in with that temp fix.
I have been here before.

Stephen Howe

.

Follow-Ups:
- Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
  - From: Stephen Howe

References:
- Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
  - From: Kerry Brown

Prev by Date: Limited Users / No AV software --How Safe
Next by Date: Re: Limited Users / No AV software --How Safe
Previous by thread: Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
Next by thread: Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
Index(es):
- Date
- Thread