To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This is definitely due to the VML exploit. What you are experiencing may be hardware DEP blocking the exploit. When DEP blocks the page it will also crash IE.
A guide was put up for my members here that gives some information and a method of protecting yourself from the exploit. http://www.bleepingcomputer.com/forums/topic66086.html In summary you need to have them unregister the "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll file using regsvr32. This will disable VML on the machine and therefore protect against the exploit. ----- Original Message ----- From: "Gadi Evron" <[EMAIL PROTECTED]> To: "Alavan" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Friday, September 22, 2006 12:28 AM Subject: Re: [botnets] Possible zero-day exploit? > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > On Thu, 21 Sep 2006, Alavan wrote: >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> Thanks Gadi. I hadn't been checking my [botnet] box, so I missed the >> discussion. My apologies. Lots of good info there. I just found it >> bizarre >> that we began getting flooded for about 2 hours and then it tapered off >> to >> almost nothing. I wonder what website/e-mail they're all >> visiting/clicking >> on that's getting them in trouble.....if I get any info on this, I'll >> forward it. >> >> Tomorrow morning, I'll be cleaning a customer's PC that was infected. I >> may >> or may not get further information. >> >> The symptoms were IE closing right after opening. Disabling "Enable 3rd >> party browser extensions" allows IE to run properly. Another post states >> that disabling Javascripting does the same. >> >> We had probably several hundred trends (customer support reps trending >> their >> issue with the customer) between 3:30pm and 5:00pm PST and then it >> started >> tapering off. > > Other ISPs are also reporting massive floods of their tech support > lines. The hours can be explained by "leaving work" and going home, but I > am not sure. > >> >> Alavan >> >> >> ----- Original Message ----- >> From: "Elia Florio" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Thursday, September 21, 2006 5:49 PM >> Subject: Re: [botnets] Possible zero-day exploit? >> >> >> > Your symptoms look very similar to the recent VML 0day exploit for IE. >> > Any sample/page to submit? Any URL to analyze? >> > >> > EF >> > >> > ----- Original Message ----- >> > From: "Alavan" <[EMAIL PROTECTED]> >> > To: <[email protected]> >> > Sent: Friday, September 22, 2006 2:22 AM >> > Subject: [botnets] Possible zero-day exploit? >> > >> > >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> >> ---------- >> >> I work at a Tier 1 ISP (Cox Communications). We are getting slammed >> >> with >> >> customers calling regarding IE closing right after opening (thousands >> >> of >> >> calls). Normally this is virus related. I have to look at a machine to >> >> see what's going on.... >> >> >> >> If anyone hears anything...... >> >> >> >> Regards, >> >> >> >> Alavan >> >> _______________________________________________ >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> >> All list and server information are public and available to law >> >> enforcement upon request. >> >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >> >> >> > >> > >> >> _______________________________________________ >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> All list and server information are public and available to law >> enforcement upon request. >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >> > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
