After getting into Task Manager I saw a number of suspicious processes. There were a lot of things running as my user that I didn’t recognize. kernels64.exe, vxgame6.exe, vxgame4.exe, mm4.exe, vxh8jkdq2.exe, netsh.exe, cmd.exe, winstall.exe, vxgamet4.exe, vxgame2.exe covers most of the list of suspect entries. netsh and cmd are both legit programs, but were likely being used as remote shells. In other words they were legit, but not something that I expected to be running. (I didn’t have a cmd shell open..)
Category: Computers
-
Task manager has been disabled by your administrator
The first problem I ran into in cleaning up after my infested Windows XP image was this error message. One of the first things I do in cleaning an infested system is try to kill off running process that look suspect (or at least identify them.) On using ctrl-alt-delete I got the message “Task manager has been disabled by your administrator” To be honest I haven’t seen that one before and it sent me Googling…
-
Cleaning up after the WMF exploit
OK, I mentioned that I infested a virtual machine with the current WMF 0-day exploit. First I should probably clarify. An exploit is a means of getting in to a system. The payload is the software that is installed. In the case of my experience there was a long list of pests installed. Given that the exploit enables any software to be installed, your experience may be different. That’s the first thing I want to make clear, depending on where and when you were affected you may see vastly different malware.
-
Microsoft Security advisory on WMF exploit
I’ve read the security advisory and unfortunately Microsoft doesn’t give any real workarounds. (There have been several announced from other sources.) Unfortunately, Microsoft: 1)urges caution in opening email and links from untrusted sources, and 2) wants you to call them if you’ve been affected by this. (1-866-PCSAFETY) and 3) make sure you have all updates (which currently don’t protect against this vulnerability) and a list of other things that don’t mitigate against this threat. Disappointing.
Correction — I just noticed, they do mention the “unregister” workaround, I missed it when I looked at the document I missed that you have to click on “workarounds” after viewing the “suggested actions” section. After all that time working on the virtual machine I’m probably not as sharp as I could be.
-
WMF 0-day update
Last night while I was in the midst of infecting a virtual machine, Microsoft issued a release that there’s a “possible vulnerability”… fortunately, their technical document is a bit more straightforward… technet advisory here. Spyware Confidential also has a good roundup on the coverage so far. There’s a bit more disturbing stuff coming too…
-
WMF zero-day exploit first hand experience
Well, I’ve just spent the better part of 6 hours (maybe a bit more) “sacrificing” a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one site from the sunbeltblog list to infect the virtual machine with and can attest to it being quite nasty. I was able to get the virtual machine *mostly* clean. I still haven’t gone back over it to try and make sure, but I’ll be posting some details from the “fun” tomorrow.
-
Joystick calibration under linux
I don’t know off the top of my head of a graphical joystick calibrator for linux, but there is a command line utility that’s dead easy to use…. jscal I found the tip in a flightgear mailing list after having a hard time with one of the first flights. The stick was very far off center, I had to pull almost all the way to the right to keep level. Anyway… here’s the tip.
-
Building RPM’s – building from tarballs
Again – I’m NOT an expert on the subject, but have had some success with building rpm’s from either src.rpms (covered last time) and building from tarballs… This entry will talk about the simplest kind of rpm build from tarballs. This is a situation where the developer’s in their great foresight have actually got a spec file in the tarball (and it’s kept current).
-
Converting spaces in filenames to underscores
Linux supports long file names, in some (many?) ways better than windows. However, when I moved over to linux I had tons of files with spaces in the name. This isn’t really a problem usually, but it can be a bit annoying having to enclose the filename in quotes for everything… anyway. Most of these were mp3’s that I had ripped from my collection of cd’s to store on the server. The script I used to automatically play through the music archive had problems dealing with the spaces (and I didn’t want to figure out how to make it work…) so I found another solution….