Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).

Its not a funny video

According to McAfee, this worm is known as W32/Autorun.worm.g.

It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.

XMSS.exe Win32 AutoRun Files

• x:autorun.inf
• x:xmss.exe
• x:Funny UST Scandal.avi.exe
• %Windir%\autorun.inf
• %Windir%\xmss.exe
• %Windir%\Funny UST Scandal.avi.exe

Fixes Win32 AutoRun.* Worm

Here’s a few step to prevent Win32 AutoRun Worm.

1. Disabled System Restore for Temporary - KB 264887
2. Boot Windows in Safe Mode - KB 315222

3. In Windows Safe Mode, Open Windows Registry Editor

   Windows Start > Run > Regedit

4. Browse to the following registry settings ↓

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. Replace
   explorer.exe, xmss.exe with exporer.exe
   
6. Delete all the following files
   • C\autorun.inf
   • C\xmss.exe
   • C\Funny UST Scandal.avi.exe
   • X:\autorun.inf
   • X:\xmss.exe
   • X:\Funny UST Scandal.avi.exe
   • %Windir%\autorun.inf
   • %Windir%\xmss.exe
   • %Windir%\Funny UST Scandal.avi.exe

   %Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive

7. Clean All Windows Temporary Files
8. Restart Windows

XMSS.exe Win32 Autorun Variants

VirusTotal.com - Dec 2007 Results.

External Links

• How to Enable and Disable System Restore
• Safe Mode Boot options in Windows

We are going to see Firefox 2.0.0.13 probably by end of this week. Check out this directory transversal code using view-sources: & resource: scheme
view-source:resource:///
translate to file:///C:/Program%20Files/Mozilla%20Firefox/

You can read/include firefox pref settings with this code. <script src=”view-source:resource:///greprefs/all.js”></script>

Workaround

Install No-script Add-ons.

Credits

Ronald van den Heetkamp at 0×000000

External Links

• Firefox 2.0.0.12 Information Leak POC

According to Chinese Lunar Calendar 2008 is the year of the RAT. ~Mickey 8:>

External Links

• Collections of Google Holiday Logos 1999 - 2007

MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

I’m following up recent announcements on IEBLOG Internet Explorer 8 and Acid2: A Milestone. To my surprise, the Web Standard Groups ACID2 Test Page doesn’t conform to W3C CSS Validation.

The Errors

9 errors & 31 warnings.

Sorry! We found the following errors
43 	 Parse Error - second two]
88 	.parser-container div 	Value Error : color orange is not a color value : orange
94 	.parser 	Property error doesn't exist : }
97 	.parser 	Property m rgin doesn't exist : 2em
97 	Parse error - Unrecognized };
99 	.parser 	Value Error : width only 0 can be a length. You must put an unit after your number : 200
100 	.parser 	Value Error : border Lexical error at line 96, column 38. Encountered: "e" (101), after : "! "error;
100 	.parser 	Value Error : border Parse error - Unrecognized }
101 	.parser 	Value Error : background Too many values or values are not recognized : red pink

• W3c CSS Validation → http://www.webstandards.org/files/acid2/test.html

Full page Screenshot

Update: Just got ping from chaoskaizer. She said the CSS ERROR is part of the Web Standards Test Suit.

Apple QuickTime contains a stack buffer overflow vulnerability in the way it handles the RTSP Content-Type header. This vulnerability may be exploited by specially crafted RTSP stream protocol

Live Example

• GNUcitizen- Backdooring QuickTime Movies
• Apple QuickTime redirection to the RTSP exploit

Elia Florio (Symantec) wrap a good introduction post regarding QuickTime 0 day Exploit.

Known Vulnerabilities Proof of concept (milw0rm).

• Apple QuickTime 7.3 RTSP Response Content-Type Header Stack Buffer Overflow exploit
• Apple QuickTime Remote stack rewrite exploit for Internet Explorer 6 & 7
• Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
• Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit

Workarounds

You may try the following workarounds, as there is no complete patch for this this vulnerability.

• Block TCP port 554 (optionaly 7070) and UDP 6970 through 6999 in your firewall
• Update Quicktime
• Disabled Apple Quicktime ActiveX control running in Internet Explorer (Windows registry file)
• For Firefox - Noscripts addons

Related Links

• RTSP - rfc2326 & RTP - rfc1889
• Apple Security Update on Safari 3 Beta Update 3.0.4
• NVD Database - Buffer overflow in Apple QuickTime
• Microsoft KB240797 - How to stop an ActiveX control from running in Internet Explorer

Recent update on Gmail has to many “Remote call” (AJAX) running (every 10secs) in the background. It will get really slow if you has a large numbers of email and spam. I’m suffering the dreaded “firefox freeze over” syndrome.

Below is a list of addons that will cause “firefox to freezeeeeeeeee”.

• Firebug
• Noscripts.

Its advice to disabled both of this addons or revert gmail back to older versions.

uri code to revert gmail to older versions
http://mail.google.com/mail/?ui=1.

As gmail is getting more crappy with “overload features”. I think I should start using thunderbird more often.

p/s: At this time of writing Google Aps Gmail is still with older version so you wont have this issue.

Related Posts

• Firefox 2.0.0.12 Urgent Security Release

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

• open Adobe AcroRd32
• Edit » Preferences
• Select the internet categories in the menu list then disabled
  Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

• Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
• Find AcroRd32Info.exe
• Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database

Matt cutts (Head of Google Webspam team) explained the important part of meta content.

view the video here

There is many reason why you need to block certain website from being access in your network. below is a “the few reason why”.

1. It’s a warez and porn sites.
2. I don’t want my employee to view my Competitor Websites.
3. I’m using illegal software and It seem necessary to disable the automated online registry checkup. ;p
4. I’m against this [countryname] I want to block all this particular domain from being access.
5. I hated this [socialnetworksite]

Safe Blocking

Here’s two methods you can safely used to block or redirect unwanted website from being access without using third party software.

1. Block Website using Windows Host file

Open Window explorer, browse to C:\WINDOWS\system32\drivers\etc click on the file name “host” (the file has no extension) make a backup copy first. Then right click view file properties and disabled the read only attributes and open it with a text editor (i.e: notepad).

Windows host settings instructions note

This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space.

route-to target-hostname
example
127.0.1.1 www.thewebsite.com

note: 127.0.1.1 is you localhost address this is where you want the target-hostname/website to redirect. thewebsite.com is the targeted website URL.

alternatively you can also redirect it to google
64.233.167.99 www.thewebsite.com

Save the file and restore back the read only mode, then type in the block address url in your browser see if works.

OpenDNS filtering

The second methods is universal, its work on any operating systems. OpenDNSfiltering. This articles wont teach you how to setup opendns, you can read it at https://www.opendns.com/start. After you had setup OpenDNS account. Read their KB39 articles

its pretty much straight forward from there on. I’m sure you wont have problem configuring opendns filter . everything is just 2 click way.

Example Blocked Lists

127.0.0.1	babe.the-killer.bz
127.0.0.1	www.babe.the-killer.bz
127.0.0.1	babe.k-lined.com
127.0.0.1	www.babe.k-lined.com
127.0.0.1	did.i-used.cc
127.0.0.1	www.did.i-used.cc
127.0.0.1	coolwwwsearch.com
127.0.0.1	www.coolwwwsearch.com
127.0.0.1	coolwebsearch.com
127.0.0.1	www.coolwebsearch.com
127.0.0.1	hi.studioaperto.net
127.0.0.1	www.hi.studioaperto.net
127.0.0.1	webbrowser.tv
127.0.0.1	www.webbrowser.tv

Notes: Notice the double entries for each domain example.com and www.example.com , You will need both long and short URL for effective blocking. Dont depend on canonical address