On Thu, 5 Jan 2006 07:11:13 +0100, Richard King wrote:
> This w m f thing is taking up quite a bit of bandwidth! Has any of us been
> hit with it yet?
I have. It's kind of funny. I had just been reading about it on Monday,
thinking, "Wow. That sounds bad." Then, I went to an unrelated web site,
which I can't exactly recall what it was. I saw Pictures and Fax viewer
briefly flash, knew what I was seeing, and immediately pulled the plug
on my system. Fortunately, I had a fairly recent Ghost image, so I
booted into a Bart PE environment to copy some data off the drive,
restored the Ghost image, and was back up and running. I wish I hadn't
panicked like that. In hindsight, I should have copied my data off the
drive, pulled the NIC cable, pulled all other drives, and ran the
isolated OS to see what happened.
After that, I decided I wanted to see it in action, so I fired up VMWare
and started heading to some "shady" sites. I booted up a Windows 2000
virtual machine and turned off images, since I was at work and knew that
it wouldn't be good to have some of those pop-up ads on my PC as my boss
walked by. :)
I wound up at a serial number/keygen site. I clicked a link for a random
app's serial number. Nothing happened, except for a slew of pop-ups. I
refreshed the page. I got different pop-ups. I kept refreshing. At one
point, 2K asked me if I wanted to open a WMF file. I cancelled and tried
again. After a few refreshes, I got hit. Hard. The pop-ups went nuts.
Something installed itself into my active desktop, which promptly had a
web page on it instead of the usual background. Svchost.exe command
prompts were opening like mad. IE kept crashing and re-opening. Explorer
crashed a few times.
The system was hosed and I had to revert to a snapshot. I don't know if
I could've cleaned it up if I had tried.
Since it did not happen every time I refreshed the page, all I could
guess is that somebody managed to get an infected WMF up on their ad
server. Yes, it's a shady site, but I think it's only a matter of time
before a WMF gets up on an ad server that goes to more mainstream sites.
Hopefully, that time will be after MS releases a patch.
--
Troy
--
----------------------------------------
The WIN-HOME mailing list is powered by L-Soft's renowned
LISTSERV(R) list management software. For more information, go to:
http://www.lsoft.com/LISTSERV-powered.html
