Spy Sheriff - so how do people get infected w/ this thing?

I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?

For those who haven't seen it, it's a tricky friggin program
apparently. It somehow gets installed, and then pops up telling you
it's detected all sorts of malware and offers to clean it up, but then
stonewalls the (typical) user from doing anything else with their
computer until they register the software and pony up their money.

As in:
http://elamb.blogharbor.com/hacked/removespysheriff.htm

Helpful in cleanup:
http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please- help_25398.html


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

"Todd H." wrote in message
news:847j9j17qe.fsf@ripco.com...
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?


Your friend could run System Restore and look at the checkpoints saved
therein. If it triggered due to an install, it lists what triggered it. He
might see whatever he installed for awhile back. Your friend should also
get accustomed to saving a checkpoint before performing an install and
noting why he created the checkpoint. Your friend probably got it from
something else he installed; i.e., it was bundled in something else. Your
friend should also reconfigure their browser to prompt for ActiveX downloads
so he/she knows when some site is trying to pushing one onto their computer.
AX is another method of delivery for this rogueware.

--
_______________________________________________________
** Post replies to the newsgroup. Share with others. **
For e-mail, remove "NIX" and append "#VC811" to Subject.
_______________________________________________________

Re: Spy Sheriff - so how do people get infected w/ this thing?

some people get it from going to porn sites and looking at the free stuff
"Todd H." wrote in message
news:847j9j17qe.fsf@ripco.com...
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please- help_25398.html
>
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/
>

Re: Spy Sheriff - so how do people get infected w/ this thing?

comphelp@toddh.net AKA Todd H. on 1/2/2006 in
<847j9j17qe.fsf@ripco.com> after much thought,came up with this jewel:

>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please- help_25398
> .html
>
>
> Best Regards,
******************Reply Separator*************************
You did not mention any real-time scanning, anti-spyware programs that
your friend uses.
I have written some pages to help you.

Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.ht ml

max
--
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

Re: Spy Sheriff - so how do people get infected w/ this thing?

I appreciate the responses thus far, and the posters who've taken the
time to make them. If possible though, I'd like to refocus the
question:

What are examples of specific web sites with specific exploits in
place that endeavor to install Spy Sheriff?

I'm trying to figure out which unpatched application is the
vulnerability by which this nasty manages to installed by a user of
the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
platform.

In short, has anyone out there done a full malware analysis of the
Spyware Sheriff installer, and where it's found out there in the wild.

I realize this may be a tall order, but this particular bit of a
spyware is particularly intriguing to me because it's so pernicious.


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

comphelp@toddh.net (Todd H.) wrote:

|>
|>I appreciate the responses thus far, and the posters who've taken the
|>time to make them. If possible though, I'd like to refocus the
|>question:
|>
|> What are examples of specific web sites with specific exploits in
|> place that endeavor to install Spy Sheriff?

Anything download'd (link'd) from this site http://www.astalavista.us/
will come with in a Zip file a file called START.EXE which is whatever
the flavor of the month is.

I want'd to test for this post; I link'd to a site from there:
http://www.XXXXXXandr.net/sn/?l=n&pn=8
This tries the WMF exploit (remove X's to test)

Other links hit me with worms, virus's and other malware, I got so
tired of dodging attacks I never did download a zip file.

|>I'm trying to figure out which unpatched application is the
|>vulnerability by which this nasty manages to installed by a user of
|>the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
|>platform.
|>
|>In short, has anyone out there done a full malware analysis of the
|>Spyware Sheriff installer, and where it's found out there in the wild.
|>
|>I realize this may be a tall order, but this particular bit of a
|>spyware is particularly intriguing to me because it's so pernicious.
|>
|>
|>Best Regards,


--
http://media.putfile.com/PurePwnage-WoWisafeeling

Re: Spy Sheriff - so how do people get infected w/ this thing?

In comp.security.misc Todd H. wrote:
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections

Did you flatten and rebuild?

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

> he uses
> Mozilla v1.7.8 to surf and read email

An old release. Maybe updating would help.

http://www.mozilla.org/projects/security/known-vulnerabiliti es.html#Mozilla

F'up2here.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

In comp.security.misc Max Wachtel wrote:
> You did not mention any real-time scanning, anti-spyware programs that
> your friend uses.
> I have written some pages to help you.
> Virus Removal Instructions: http://home.neo.rr.com/manna4u/

You're distributing snake oil here. This cannot work. Please read:

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

You're tips are counter-productive.

F'up2here, because this is a general problem, that already running malware
with administrative rights cannot be removed safely any more without a
reference copy of the complete system and booting a second system for the
forensics tools.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

In comp.security.misc Trax wrote:
> Other links hit me with worms, virus's and other malware, I got so
> tired of dodging attacks I never did download a zip file.

Maybe, you should change to another operating system.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

Todd H. wrote:

>
> "Where/how are people getting this?"
>



Neither adware nor spyware, collectively known as scumware,
magically install themselves on anyone's computer. They are almost
always deliberately installed by the computer's user, as part of some
allegedly "free" service or product.

While there are some unscrupulous malware distributors out there,
who do attempt to install and exploit malware without consent, the
majority of them simply rely upon the intellectual laziness and
gullibility of the average consumer, counting on them to quickly click
past the EULA in his/her haste to get the latest in "free" cutesy
cursors, screensavers, "utilities," and/or wallpapers.

If you were to read the EULAs that accompany, and to which the
computer user must agree before the download/installation of the
"screensaver" continues, most adware and spyware, you'll find that
they _do_ have the consumer's permission to do exactly what they're
doing. In the overwhelming majority of cases, computer users have no
one to blame but themselves.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Re: Spy Sheriff - so how do people get infected w/ this thing?

What about the latest Wmf exposure with IE ? - If I understand it
correctly, it requires only the visiting of an infected web site.
Here's an interesting FAQ on it:
http://isc.sans.org/diary.php?rss&storyid=994


"Bruce Chambers" wrote in message
news:O7qUOk6DGHA.516@TK2MSFTNGP15.phx.gbl...
> Todd H. wrote:
>
>>
>> "Where/how are people getting this?"
>>
>
>
>
> Neither adware nor spyware, collectively known as scumware,
> magically install themselves on anyone's computer. They are almost
> always deliberately installed by the computer's user, as part of some
> allegedly "free" service or product.
>
> While there are some unscrupulous malware distributors out there,
> who do attempt to install and exploit malware without consent, the
> majority of them simply rely upon the intellectual laziness and
> gullibility of the average consumer, counting on them to quickly click
> past the EULA in his/her haste to get the latest in "free" cutesy
> cursors, screensavers, "utilities," and/or wallpapers.
>
> If you were to read the EULAs that accompany, and to which the
> computer user must agree before the download/installation of the
> "screensaver" continues, most adware and spyware, you'll find that
> they _do_ have the consumer's permission to do exactly what they're
> doing. In the overwhelming majority of cases, computer users have no
> one to blame but themselves.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH

Re: Spy Sheriff - so how do people get infected w/ this thing?

R. McCarty wrote:
> What about the latest Wmf exposure with IE ? - If I understand it
> correctly, it requires only the visiting of an infected web site.
> Here's an interesting FAQ on it:
> http://isc.sans.org/diary.php?rss&storyid=994
>
>

I never claimed that the danger didn't exist, only that it was a
relatively rare, compared to the malware distributors who rely upon the
uninformed or lazy consumer.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Re: Spy Sheriff - so how do people get infected w/ this thing?

I wasn't taking exception to your analysis - just that these jackasses
are always looking for new ways to get a toe hold on a computer.
Build the wall higher and they dig under it. Make it thicker and they
use a software trampoline to jump over. I agree that most Malware
gets on from bad browsing or download habits. The best Security
software in the world can't stop the "This is dangerous !" and they
go right ahead and Click into - Poker, Porno and "Freebies". Trying
to keep a PC "Safe-&-Secure" takes as much time as you spend
actually using the thing. You can teach a PC, unfortunately the user
is quite as quick a learner.

"Bruce Chambers" wrote in message
news:eLkOH16DGHA.2292@tk2msftngp13.phx.gbl...
> R. McCarty wrote:
>> What about the latest Wmf exposure with IE ? - If I understand it
>> correctly, it requires only the visiting of an infected web site.
>> Here's an interesting FAQ on it:
>> http://isc.sans.org/diary.php?rss&storyid=994
>>
>>
>
> I never claimed that the danger didn't exist, only that it was a
> relatively rare, compared to the malware distributors who rely upon the
> uninformed or lazy consumer.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH

Re: Spy Sheriff - so how do people get infected w/ this thing?

Correction - Last line should read "the user ISN'T', instead of is.

"R. McCarty" wrote in message news:...
>I wasn't taking exception to your analysis - just that these jackasses
> are always looking for new ways to get a toe hold on a computer.
> Build the wall higher and they dig under it. Make it thicker and they
> use a software trampoline to jump over. I agree that most Malware
> gets on from bad browsing or download habits. The best Security
> software in the world can't stop the "This is dangerous !" and they
> go right ahead and Click into - Poker, Porno and "Freebies". Trying
> to keep a PC "Safe-&-Secure" takes as much time as you spend
> actually using the thing. You can teach a PC, unfortunately the user
> is quite as quick a learner.
>
> "Bruce Chambers" wrote in message
> news:eLkOH16DGHA.2292@tk2msftngp13.phx.gbl...
>> R. McCarty wrote:
>>> What about the latest Wmf exposure with IE ? - If I understand it
>>> correctly, it requires only the visiting of an infected web site.
>>> Here's an interesting FAQ on it:
>>> http://isc.sans.org/diary.php?rss&storyid=994
>>>
>>>
>>
>> I never claimed that the danger didn't exist, only that it was a
>> relatively rare, compared to the malware distributors who rely upon the
>> uninformed or lazy consumer.
>>
>>
>> --
>>
>> Bruce Chambers
>>
>> Help us help you:
>> http://dts-l.org/goodpost.htm
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>
>> You can have peace. Or you can have freedom. Don't ever count on having
>> both at once. - RAH
>
>

Re: Spy Sheriff - so how do people get infected w/ this thing?

R. McCarty wrote:
> I wasn't taking exception to your analysis - just that these jackasses
> are always looking for new ways to get a toe hold on a computer.
> Build the wall higher and they dig under it. Make it thicker and they
> use a software trampoline to jump over. I agree that most Malware
> gets on from bad browsing or download habits. The best Security
> software in the world can't stop the "This is dangerous !" and they
> go right ahead and Click into - Poker, Porno and "Freebies". Trying
> to keep a PC "Safe-&-Secure" takes as much time as you spend
> actually using the thing. You can teach a PC, unfortunately the user
> is quite as quick a learner.
>


We're pretty much in complete agreement, then. I guess I just
misunderstood the intentions of your reply to me. And, thanks to your
reminder, I do reckon it's time to upgrade my emphasis of that
particular danger.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Re: Spy Sheriff - so how do people get infected w/ this thing?

On that special day, Todd H., (comphelp@toddh.net) said...

> I'm trying to figure out which unpatched application is the
> vulnerability by which this nasty manages to installed by a user of
> the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> platform.

http://www.f-secure.com/weblog/archives/archive-122005.html# 00000752

this *might* have been, how it happened.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Spy Sheriff - so how do people get infected w/ this thing?

Todd H. wrote:
> I appreciate the responses thus far, and the posters who've taken the
> time to make them. If possible though, I'd like to refocus the
> question:
>
> What are examples of specific web sites with specific exploits in
> place that endeavor to install Spy Sheriff?
>
> I'm trying to figure out which unpatched application is the
> vulnerability by which this nasty manages to installed by a user of
> the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> platform.
>
> In short, has anyone out there done a full malware analysis of the
> Spyware Sheriff installer, and where it's found out there in the wild.
>
> I realize this may be a tall order, but this particular bit of a
> spyware is particularly intriguing to me because it's so pernicious.
>
>
> Best Regards,

I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.ms px

The only effective workaround right now is to enable hardware DEP for all
programs (software DEP won't stop it) or disable the Windows picture and fax
viewer. Both workarounds can cause problems. Hardware DEP may break some
drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
the best workaround but it may cause some minor problems with html email and
some web sites.

Kerry

Re: Spy Sheriff - so how do people get infected w/ this thing?

In comp.security.misc Kerry Brown wrote:
> I have seen it on three customer's computers in the last three days. They
> were all up to date with Windows updates, running an antivirus, one was
> running MS AntiSpyware. As near as I can tell they all came in via the .wmf
> exploit. One was in a spam email. They had the preview pane open and viewing
> the email installed the malware.

Sounds like Outlook Express or Outlook. Well, not using OE and O is
requested not only by me and not only for a short time now.

> Two were while surfing the net. Both times
> they clicked on a link in a google search and they were immediately
> infected.

Sounds like they're using Internet Exploder. Well, not using IE is
requested not only by me and not only for a short time now.

> The only effective workaround right now is to enable hardware DEP for all
> programs (software DEP won't stop it) or disable the Windows picture and fax
> viewer.

The best workaround is not using IE or OE any more.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

Gabriele Neukam writes:

> On that special day, Todd H., (comphelp@toddh.net) said...
>
> > I'm trying to figure out which unpatched application is the
> > vulnerability by which this nasty manages to installed by a user of
> > the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> > platform.
>
> http://www.f-secure.com/weblog/archives/archive-122005.html# 00000752
>
> this *might* have been, how it happened.


That is a huge vulnerability I agree--I expect to see lots of
computers cross my desk to repair the fallout of that huge hole.

These spy sheriff infections predated the release of the wmf exploit
by a month or so though. :-\

--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

Volker Birk writes:

> In comp.security.misc Todd H. wrote:
> > I've now had two friends get nailed with this Spy Sheriff rogue
> > anti-spyware app. While I've managed to clean up the infections
>
> Did you flatten and rebuild?
>
> http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

Hi Volker,

I haven't though I suggested it. The friend has decided to replace
the aging machine instead. My task was just to stabilize it to the
point of being able to yank the data off of it.

> > he uses
> > Mozilla v1.7.8 to surf and read email
>
> An old release. Maybe updating would help.
>
> http://www.mozilla.org/projects/security/known-vulnerabiliti es.html#Mozilla

Yeah, I agree that's the leading candidate. Several critical
vulnerabilities existed in that 1.7.8 release. My money's on this as
the attack vector, and him visiting a nefarious site that had an
exploit for one of those buried in it.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

Todd H. wrote:
> Volker Birk writes:
> > In comp.security.misc Todd H. wrote:
> > > I've now had two friends get nailed with this Spy Sheriff rogue
> > > anti-spyware app. While I've managed to clean up the infections
> > Did you flatten and rebuild?
> > http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx
> I haven't though I suggested it. The friend has decided to replace
> the aging machine instead. My task was just to stabilize it to the
> point of being able to yank the data off of it.

I hope, you got your data out of it without too much trouble, i.e. with
macro viruses in your Office documents or something like that. Perhaps,
next time a backup would a good idea (of course, nobody wants backup, but
everybody wants restore ;-)

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

"Kerry Brown" writes:
> Todd H. wrote:
> > I appreciate the responses thus far, and the posters who've taken the
> > time to make them. If possible though, I'd like to refocus the
> > question:
> >
> > What are examples of specific web sites with specific exploits in
> > place that endeavor to install Spy Sheriff?
> >
> > I'm trying to figure out which unpatched application is the
> > vulnerability by which this nasty manages to installed by a user of
> > the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> > platform.
> >
> > In short, has anyone out there done a full malware analysis of the
> > Spyware Sheriff installer, and where it's found out there in the wild.
> >
> > I realize this may be a tall order, but this particular bit of a
> > spyware is particularly intriguing to me because it's so pernicious.
> >
> >
> > Best Regards,
>
> I have seen it on three customer's computers in the last three days. They
> were all up to date with Windows updates, running an antivirus, one was
> running MS AntiSpyware. As near as I can tell they all came in via the .wmf
> exploit. One was in a spam email. They had the preview pane open and viewing
> the email installed the malware. Two were while surfing the net. Both times
> they clicked on a link in a google search and they were immediately
> infected. See the following link for details of the exploit.
>
> http://www.microsoft.com/technet/security/advisory/912840.ms px
>
> The only effective workaround right now is to enable hardware DEP for all
> programs (software DEP won't stop it) or disable the Windows picture and fax
> viewer. Both workarounds can cause problems. Hardware DEP may break some
> drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
> the best workaround but it may cause some minor problems with html email and
> some web sites.

Hi Kerry,

Thanks for sharing your experience.

There seems to be mounting evidence that these Spy Sheriff bastards
mihgt be leveraging multiple vulnerabilities out there, and evolving
with the state of patches.

One machine I cleaned up was about 3 weeks ago, and the friend
involved had an up to date XP2 box, and he said that the computer had
beenthat way for a week or more prior to my arrival. I think this
predates the WMF issue's release. That user, however, is fairly
novice and isn't terribly careful, so god knows where he could've
gotten it. He was using a very old version of Mozilla on that box.


The second Spy Sheriff infected machine I just cleaned up was an XP
sp2 machine with its updates, but the user reported that manual
symantec liveupdates haven't worked for a while, and he also had a
Mozilla version that was a couple revs old (1.7.8). I think his
infection of spy sheriff was probably in the timeline for the WMF
exploit. Then again Spy sheriff as it turns out was only one of a
long list of infections it managed to contract.

Thanks to all for their experiences with this one. This malware is
getting extremely crafty, and financial profit seems to be creeping up
the list of motivations for the black hats. I hope a few attorneys
general hit the Spy Sheriff weasels hard. In the mean time, if you
know anyone who was social engineered into paying to register spy
sheriff, have them dispute that credit card charge and at least hit
them in credit card admin fees. Visa/MC might get fed up enough to
revoke their merchant id.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Mon, 2 Jan 2006 09:04:08 -0800, "Kerry Brown"
wrote:

>I have seen it on three customer's computers in the last three days. They
>were all up to date with Windows updates, running an antivirus, one was
>running MS AntiSpyware. As near as I can tell they all came in via the .wmf
>exploit. One was in a spam email. They had the preview pane open and viewing
>the email installed the malware. Two were while surfing the net. Both times
>they clicked on a link in a google search and they were immediately
>infected. See the following link for details of the exploit.
>
>http://www.microsoft.com/technet/security/advisory/912840.m spx
>
>The only effective workaround right now is to enable hardware DEP for all
>programs (software DEP won't stop it) or disable the Windows picture and fax
>viewer. Both workarounds can cause problems. Hardware DEP may break some
>drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
>the best workaround but it may cause some minor problems with html email and
>some web sites.

According to some experts, the best workaround is Ilfak's fix here:

http://www.hexblog.com/2005/12/wmf_vuln.html

Art

http://home.epix.net/~artnpeg

Re: Spy Sheriff - so how do people get infected w/ this thing?

Bruce Chambers wrote:
> Todd H. wrote:
>
>>
>> "Where/how are people getting this?"
>>
>
>
>
> Neither adware nor spyware, collectively known as scumware,
> magically install themselves on anyone's computer. They are almost
> always deliberately installed by the computer's user, as part of some
> allegedly "free" service or product.

No, that is not the case. There is hardly a byte on my PC that I don't
know about but nevertheless I still get a few minor trojans from time to
time, usually in the Cookies, which last as long as it takes me to run
ad-aware, spybot etc or clean the cookies by hand, which I do every day
or couple of days. Of course lots of people do click on any old link
and so deserve what they get but that is not the only way to be
infected.

Re: Spy Sheriff - so how do people get infected w/ this thing?

On that special day, Todd H., (comphelp@toddh.net) said...

> These spy sheriff infections predated the release of the wmf exploit
> by a month or so though. :-\

If there is a new and easy way to infect even updated machines without
having the user to lure into a "click me" dialog box, a criminal like
that spy sherriff distributor will gladly adopt it, for sure.

There are a lot of worming bots out in the net, which use all kinds of
vulnerabilities, the numbers of their variants being in the hundreds,
if not thousands... why should it be different with this kind of -
shall we call it foistware?


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Spy Sheriff - so how do people get infected w/ this thing?

You've got it backwards. Spysheriff does use that vulnerability. That
vulnerability was always there it did not just appear, it was just recently
discovered probably because of spysheriff like malware.

--


spam999free@rrohio.com
remove 999 in order to email me



"Todd H." wrote in message
news:84ek3qsg1z.fsf@ripco.com...
> Gabriele Neukam writes:
>
>> On that special day, Todd H., (comphelp@toddh.net) said...
>>
>> > I'm trying to figure out which unpatched application is the
>> > vulnerability by which this nasty manages to installed by a user of
>> > the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
>> > platform.
>>
>> http://www.f-secure.com/weblog/archives/archive-122005.html# 00000752
>>
>> this *might* have been, how it happened.
>
>
> That is a huge vulnerability I agree--I expect to see lots of
> computers cross my desk to repair the fallout of that huge hole.
>
> These spy sheriff infections predated the release of the wmf exploit
> by a month or so though. :-\
>
> --
> Todd H.
> http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

NO! prove to me that you own the name "Leythos" and I will stop using it.
Stop Stalking me and I will stop using it. Hehe forging your name you must
be crazy, That's the funniest thing I've heard all year. Got lost stalker.

--


spam999free@rrohio.com
remove 999 in order to email me




"Leythos" wrote in message
news:kMeuf.22160$Pi.1788@tornado.ohiordc.rr.com...
> In article , ilovepcbutts1
> @withapassion.com says...
>> From: "Leythos"
>> References: <847j9j17qe.fsf@ripco.com>
>> <847j9j58k5.fsf@ripco.com>
>> <84ek3qsg1z.fsf@ripco.com>
>> Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
>> Date: Mon, 2 Jan 2006 10:52:31 -0800
>> Lines: 39
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>> X-RFC2646: Format=Flowed; Original
>> Message-ID:
>> Newsgroups:
>> comp.os.ms-windows.misc,microsoft.public.windowsxp.general,a lt.comp.anti-virus,comp.security.misc
>> NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net 69.237.53.123
>> Path:
>> news-wrt-01.ohiordc.rr.com!news-server.columbus.rr.com!hwmnp eer01.lga!hwmedia!newshub.sdsu.edu!msrtrans!TK2MSFTNGP08.phx .gbl!TK2MSFTNGP11.phx.gbl
>> Xref: news-wrt-01.ohiordc.rr.com comp.os.ms-windows.misc:201080
>> microsoft.public.windowsxp.general:1413638 alt.comp.anti-virus:93309
>> comp.security.misc:110153
>
> NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
> 69.237.53.123
>
> Please note that PCBUTTS1 is the poster of the above message using my
> NickName "Leythos". He posts from the above host, which you can validate
> in the Usenet headers, since Microsoft deletes his posts from their
> servers due to his lack of ethics, his theft of others code, and his
> violations of their Usenet standards.
>
> As a "formal" request, for documentation reasons, I request that you
> stop using my name to forge posts. You have been warned now.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Mon, 2 Jan 2006 17:09:12 +0100, Gabriele Neukam
wrote:

>
>http://www.f-secure.com/weblog/archives/archive-122005.html #00000752
>
>this *might* have been, how it happened.

Yup, I cleaned up a couple of machines in the last few days with that.

tim
--

tim

Re: Spy Sheriff - so how do people get infected w/ this thing?

Can anyone please tell me a suitable workaround for Windows 98 SE? The M$ page only lists
un-registering Shimgvw.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows
Server 2003 and Windows Server 2003 Service Pack 1.

Please let me know about this.

Cool_X


tim wrote:
> On Mon, 2 Jan 2006 17:09:12 +0100, Gabriele Neukam
> wrote:
>
>
>>http://www.f-secure.com/weblog/archives/archive-122005.htm l#00000752
>>
>>this *might* have been, how it happened.
>
>
> Yup, I cleaned up a couple of machines in the last few days with that.
>
> tim

Re: Spy Sheriff - so how do people get infected w/ this thing?

Cool_X writes:

> Can anyone please tell me a suitable workaround for Windows 98 SE?
> The M$ page only lists un-registering Shimgvw.dll on Windows XP
> Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
> Windows Server 2003 Service Pack 1.
>
> Please let me know about this.
>
> Cool_X

Quoted from http://isc.sans.org/diary.php?storyid=994

"Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and there
will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade."


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

comphelp@toddh.net (Todd H.) wrote:

>Cool_X writes:
>
>> Can anyone please tell me a suitable workaround for Windows 98 SE?
>> The M$ page only lists un-registering Shimgvw.dll on Windows XP
>> Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>> Windows Server 2003 Service Pack 1.
>>
>> Please let me know about this.
>>
>> Cool_X
>
>Quoted from http://isc.sans.org/diary.php?storyid=994
>
>"Note: If you're still running on Win98/ME, this is a watershed
>moment: we believe (untested) that your system is vulnerable and there
>will be no patch from MS. Your mitigation options are very
>limited. You really need to upgrade."
>
>
>Best Regards,


Install Sunbelt Kerio Personal Firewall and modify the filter rules
per the article "Snort rules for WMF exploit updated" in
http://sunbeltblog.blogspot.com/. That seems to work very well.

Larry

Re: Spy Sheriff - so how do people get infected w/ this thing?

Kerry Brown wrote:
[deleted]
> I have seen it on three customer's computers in the last three days. They
> were all up to date with Windows updates, running an antivirus, one was
> running MS AntiSpyware. As near as I can tell they all came in via the .wmf
> exploit. One was in a spam email. They had the preview pane open and viewing
> the email installed the malware. Two were while surfing the net. Both times
> they clicked on a link in a google search and they were immediately
> infected. See the following link for details of the exploit.
>
> http://www.microsoft.com/technet/security/advisory/912840.ms px

Are you sure about that preview pane story? The Microsoft Security
Advisory claims that one at least has to *click* on something or *open*
an *attachment*:

[Start quote:]

Mitigating Factors:

* In an E-mail based attack involving the current exploit, customers
would have to be persuaded to click on a link within a malicious
e-mail or open an attachment that exploited the vulnerability. At this
point, no attachment has been identified in which a user can be
attacked simply by reading mail.

[End quote.]

[This is from the January 3 version of the Advisory. The earlier wording
was somewhat less specific.]

I also thought that a (OE) (pre-)view was enough, but I checked some
(innocent) JPEGs in an HTML message and they are displayed, *despite*
disabling (un-registering) the Windows Picture and Fax viewer
(Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
component than the Windows Picture and Fax viewer. Of course I didn't
check any malicious 'pictures', so I could be wrong.

Anyway, the good news is that if everything goes according to plan, we
will have a (MS) patch (security update) in a week (January 10).

> The only effective workaround right now is to enable hardware DEP for all
> programs (software DEP won't stop it) or disable the Windows picture and fax
> viewer. Both workarounds can cause problems. Hardware DEP may break some
> drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
> the best workaround but it may cause some minor problems with html email and
> some web sites.
>
> Kerry

Re: Spy Sheriff - so how do people get infected w/ this thing?

Positive. I have seen it in action. Security was slightly relaxed as the
user used the stationary features a lot. Until this exploit there had never
been a problem with their setup. They had disabled Block images and other
external content in HTML email. Not the most sensible thing to do but many
users who use stationary do this. There are many newsgroups devoted to
stationary. Microsoft even has one on their private news server. I was wrong
about the hardware DEP though. It looks like this works on some systems but
not others.

Kerry

Frank Slootweg wrote:
> Kerry Brown wrote:
> [deleted]
>> I have seen it on three customer's computers in the last three days.
>> They were all up to date with Windows updates, running an antivirus,
>> one was running MS AntiSpyware. As near as I can tell they all came
>> in via the .wmf exploit. One was in a spam email. They had the
>> preview pane open and viewing the email installed the malware. Two
>> were while surfing the net. Both times they clicked on a link in a
>> google search and they were immediately infected. See the following
>> link for details of the exploit.
>>
>> http://www.microsoft.com/technet/security/advisory/912840.ms px
>
> Are you sure about that preview pane story? The Microsoft Security
> Advisory claims that one at least has to *click* on something or
> *open* an *attachment*:
>
> [Start quote:]
>
> Mitigating Factors:
>
> * In an E-mail based attack involving the current exploit, customers
> would have to be persuaded to click on a link within a malicious
> e-mail or open an attachment that exploited the vulnerability. At
> this point, no attachment has been identified in which a user can be
> attacked simply by reading mail.
>
> [End quote.]
>
> [This is from the January 3 version of the Advisory. The earlier
> wording was somewhat less specific.]
>
> I also thought that a (OE) (pre-)view was enough, but I checked some
> (innocent) JPEGs in an HTML message and they are displayed, *despite*
> disabling (un-registering) the Windows Picture and Fax viewer
> (Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
> component than the Windows Picture and Fax viewer. Of course I didn't
> check any malicious 'pictures', so I could be wrong.
>
> Anyway, the good news is that if everything goes according to plan,
> we will have a (MS) patch (security update) in a week (January 10).
>
>> The only effective workaround right now is to enable hardware DEP
>> for all programs (software DEP won't stop it) or disable the Windows
>> picture and fax viewer. Both workarounds can cause problems.
>> Hardware DEP may break some drivers and a lot of games won't run.
>> Unregistering shimgvw.dll seems to be the best workaround but it may
>> cause some minor problems with html email and some web sites.
>>
>> Kerry

Re: Spy Sheriff - so how do people get infected w/ this thing?

Kerry Brown wrote:
> Positive. I have seen it in action. Security was slightly relaxed as
> the user used the stationary features a lot. Until this exploit there
> had never been a problem with their setup. They had disabled Block
> images and other external content in HTML email.

Ah, that explains it! AFAIK, Block images is enabled by default in
(SP2) OE, at least it was for me. So for me it would mean a click.

> Not the most sensible
> thing to do but many users who use stationary do this. There are many
> newsgroups devoted to stationary. Microsoft even has one on their
> private news server.

Yeah, it's the old point: Is 'rich' ever going to be safe? Probably
not.

> I was wrong about the hardware DEP though. It
> looks like this works on some systems but not others.
>
> Kerry

> Frank Slootweg wrote:
[bottom-quote deleted]

Re: Spy Sheriff - so how do people get infected w/ this thing?

Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
(and should, because this is a critical security issue), but they will use any tactic possible
to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
update service and all critical updates like this!!!

If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
enough to run 2000. It's basically a death sentence towards ever going on the Internet.

Besides which, can't any of the security people here tell me the Windows files that are
specifically affected by this virus, so I can block them (would need to know how to do that as
well)???

Contrary to what Linus Torvalds said, Micro$oft IS EVIL!!!

Cool_X


Todd H. wrote:
> Cool_X writes:
>
>
>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>Windows Server 2003 Service Pack 1.
>>
>>Please let me know about this.
>>
>>Cool_X
>
>
> Quoted from http://isc.sans.org/diary.php?storyid=994
>
> "Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and there
> will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade."
>
>
> Best Regards,

Re: Spy Sheriff - so how do people get infected w/ this thing?

Larry,
I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
ZoneAlarm slows down my boot time by a large amount.

Does anyone have any other suggestions, like what Windows files to block or unregister?

I think that if I don't have the DLL that the sites are asking me to unregister, then I'm
either not affected or the exploit targets different files. Could anyone clarify this one way
or another???

Cool_X


Larry Sabo wrote:
> comphelp@toddh.net (Todd H.) wrote:
>
>
>>Cool_X writes:
>>
>>
>>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>>Windows Server 2003 Service Pack 1.
>>>
>>>Please let me know about this.
>>>
>>>Cool_X
>>
>>Quoted from http://isc.sans.org/diary.php?storyid=994
>>
>>"Note: If you're still running on Win98/ME, this is a watershed
>>moment: we believe (untested) that your system is vulnerable and there
>>will be no patch from MS. Your mitigation options are very
>>limited. You really need to upgrade."
>>
>>
>>Best Regards,
>
>
>
> Install Sunbelt Kerio Personal Firewall and modify the filter rules
> per the article "Snort rules for WMF exploit updated" in
> http://sunbeltblog.blogspot.com/. That seems to work very well.
>
> Larry

Re: Spy Sheriff - so how do people get infected w/ this thing?

Cool_X writes:

> I think that if I don't have the DLL that the sites are asking me to
> unregister, then I'm either not affected or the exploit targets
> different files. Could anyone clarify this one way or another???

You probably do have that dll.

Be sure to put the missing backslashes in the unregister command:

regsvr32 -u %windir%\system32\shimgvw.dll


--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

on 1/2/2006 9:42 PM Todd H. said the following:
> Cool_X writes:
>
>
>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>Windows Server 2003 Service Pack 1.
>>
>>Please let me know about this.
>>
>>Cool_X
>
>
> Quoted from http://isc.sans.org/diary.php?storyid=994
>
> "Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and there
> will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade."
>
>
> Best Regards,

Turns out that this may not be true. Apparently the older versions of
windows don't have a default *.WMF handler. Technically they are
vulnerable, but for all practical purposes not. CAUTION: this will
depend on your configuration. Here is one article that I found:

http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.a spx

JH

Re: Spy Sheriff - so how do people get infected w/ this thing?

[top-post corrected below]

>Larry Sabo wrote:
[snip]
>> Install Sunbelt Kerio Personal Firewall and modify the filter rules
>> per the article "Snort rules for WMF exploit updated" in
>> http://sunbeltblog.blogspot.com/. That seems to work very well.
>>
>> Larry
Cool_X wrote:

>Larry,
>I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
>already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
>ZoneAlarm slows down my boot time by a large amount.
[snip]
>
>Cool_X

Sunbelt Kerio Perosonal Firewal is full-featured for 30 days, then
becomes a freeware version with fewer features, according to Sunbelt.
The full-featured version is available for $14.95 USD, and costs $9.95
USD to renew at the end of the year. For a table showing the
differences between the free and paid versions, see...

http://www.sunbelt-software.com/Kerio.cfm

I use to use Zone Alarm years ago but abandoned it when it became so
bloated that it slowed my system to a crawl, especially during
booting. During the short time I was checking it out, I think I notice
that SKPF slowed my system perceptibly, but I really didn't use it
long enough to be sure.

If I were using Win98, I'd use SKPF with the filters mentioned in the
link above. Since I use Win2K,I rely upon the WMFHotFix instead.

Larry

Re: Spy Sheriff - so how do people get infected w/ this thing?

Todd,
No, I really don't think I have that DLL because I keep getting the error message:

"RegSvr32

LoadLibrary("%windir%\system32\shimgvw.dll") failed .
GetLastError returns 0x00000485."

What missing backslashes are you talking about, and what else can I do?

Cool_X


Todd H. wrote:
> Cool_X writes:
>
>
>>I think that if I don't have the DLL that the sites are asking me to
>>unregister, then I'm either not affected or the exploit targets
>>different files. Could anyone clarify this one way or another???
>
>
> You probably do have that dll.
>
> Be sure to put the missing backslashes in the unregister command:
>
> regsvr32 -u %windir%\system32\shimgvw.dll
>
>

Re: Spy Sheriff - so how do people get infected w/ this thing?

Notan,
Why should Kerio be the only firewall that supports this? Won't other firewall makers follow
suit with updates to their products?

And won't Symantec release definitions updates that catch all of the variants, so once I
install them, I'll be immune to this virus just like any other?

Finally, why should I have to pay twice to get another firewall when I've already bought one
that was highly rated, and then not be able to use the one that I already bought?

There must be SOME alternative to this...

Cool_X

P.S. I'm still interested in discussing more about Usenet with you regarding your previous
posts on alt.comp.sys.laptops, but I don't want to stay OT there. Could you send me your
e-mail address (mine is already listed, you just have to remove the "SPAM")?

Notan wrote:
> Cool_X wrote:
>
>>Larry,
>>I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
>>already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
>>ZoneAlarm slows down my boot time by a large amount.
>>
>>
>
>
> It's currently being offered for $14.95. (I paid $45.00. Damn! )
>
> Have a look at http://www.sunbelt-software.com/kerio.cfm.
>
> Notan

Re: Spy Sheriff - so how do people get infected w/ this thing?

Cool_X writes:

> Todd,
> No, I really don't think I have that DLL because I keep getting the error message:
>
> "RegSvr32
>
> LoadLibrary("%windir%\system32\shimgvw.dll") failed .
> GetLastError returns 0x00000485."
>
> What missing backslashes are you talking about, and what else can I
> do?

the missing backslashes I mentioned were from the sans.org diary
(their editor keeps eating them evidently), but accordingly to the
error message you have them.

Check c:\windows\system32 directory and see if shimgvw.dll is there.
Maybe the mapping of %windir% is goofed up on your system? Dunno.


--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

Leythos,
Well, you might as well be a M$ salesman, because you're saying almost exactly what I'd expect
to hear from them.

My response to your "solutions":

1. Win98 is only unsupported b/c M$ is EVIL and wants to use hackers to make more money in
"upgrades" by leaving previous versions to be riddled with viruses when it's probably even
easier for them to release patches for 9x kernels. Besides which, I figured that due to its
age, Win98SE would have all of its major bugs worked out, and wouldn't have to sustain a major
hit like this poses. Furthermore, there's still an OS/2 group in my city.

2. I already bought a good virus scanner and firewall (SystemWorks and ZoneAlarm Pro), so
until now, I've been relying on updated virus definitions. I thought that was a workable
solution until this, where a key part of Windows has been totally exploited.

3. No, why should I pay to make my PC even slower? I don't need the extra "features" (read:
bugs) of newer M$ OSs, and Win98 has all the functionality (plus extra compatibility) that I
need. Besides which, I'm not going to let an EVIL MONOPOLY dictate how I run any system, and
will certainly not be pressured into any "upgrade".

4. Oh, so you think I have all the money in the world? A year later, I'm still buried in
credit card debt paying for a $6000 USD (approx. conversion) theft that I couldn't afford to
insure, and I know quite a few people who aren't rich enough to have a fast enough PC to even
look at 2000 (like somebody I know who still has a P233). I'm just a student who's having to
work to pay for a drug-dealing gang's gains, so I still have my university tuition to have to
pay. Since I use laptops, the lack of compatibility and ease of use deters me from learning a
*nix OS, especially as I'm not a programmer and wouldn't enjoy having to recompile my OS.

I still won't use XP on principle that I completely disagree with M$ violating privacy with
WPA, and I'm not going to ask PERMISSION to use something that I had to PAY FOR and own the
rights to.

My question is, if security people have developed an unofficial workaround for the NTFS kernel,
then why can't they release one for the Win9x kernel? Why isn't there DLLs that I can
unregister, or "features" that I can disable?

I had plans to make all Win98 machines secure by not connecting them to the Internet, and to
keep anything that could run XP using 2000, switching to Macs when PCs are forced to use their
TCP chips, and then finally learning to use a friendly form of Unix when there was a real
purpose like CompSci courses, but this exploit (I again figured that since the majority of
people had bought into M$'s tactics to force "upgrades", that virus writers would target the
NTFS kernel which had more undiscovered holes, because it had become the common medium, and
therefore NTFS exploits simply wouldn't work with Win98). Because of my dire life situation,
these plans have remained daydreams, until I can find some charitable help to give me a hand up
in building my future, but that I've never been able to find, needed because I simply don't
have the means to fix damage done by other people which has become too much for me to control...

Cool_X


Leythos wrote:
> In article ,
> cool_x_usenetSPAM@shawSPAM.ca says...
>
>>Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
>>(and should, because this is a critical security issue), but they will use any tactic possible
>>to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
>>update service and all critical updates like this!!!
>>
>>If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
>>for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
>>enough to run 2000. It's basically a death sentence towards ever going on the Internet.
>
>
> You have several options:
>
> 1) Having known that Windows 98 was no longer supported for many moons,
> you've had plenty of time to get a replacement or to determine to live
> with an Unsupported OS.
>
> 2) Develop a firewall/AV solution that works for your unsupported
> platform that limits your exposure.
>
> 3) Upgrade to Windows 2000 or XP on your existing hardware and live with
> the performance issues.
>
> 4) Get a new computer and newer OS - the OS could be Windows based or
> Linux based if you didn't want a fee-based OS. Fedora Core 4 is stable
> and works well on older as well as newer hardware.
>

Re: Spy Sheriff - so how do people get infected w/ this thing?

Post removed (X-No-Archive: yes)

Re: Spy Sheriff - so how do people get infected w/ this thing?

John,
I initially thought that article was a breath of fresh air...until I read the feedback.

I still feel screwed because I use IrfanView and M$ Office 2000, and from what I read, there's
no office suite, imaging program, browser or e-mail client that wouldn't be theoretically
vulnerable. So all that would have to happen is an infected WMF be renamed and then it would
automatically be viewed by whatever names itself the default. I just can't imagine living
without all of these programs...

Worse yet, it would be too easy to develop another variant of this virus that WILL hit every
Windows system, and not generate an error with attempts to read infected pictures.

This is why monopolization and unifying standards that M$ creates are truly dangerous (I
refused to use Windoze Media files and I have my firewall set to disable Windoze Media Player),
and to boot make M$ more money by destroying security, because they profit from sad schemes
like OneCare, not to mention their investment in "Trusted Computing" and the expletive DRM,
meaning that they'll still pursue invasion of privacy in a failed hope of security.

Cool_X


John Hyde wrote:
> on 1/2/2006 9:42 PM Todd H. said the following:
>
>> Cool_X writes:
>>
>>
>>> Can anyone please tell me a suitable workaround for Windows 98 SE?
>>> The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>> Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>> Windows Server 2003 Service Pack 1.
>>>
>>> Please let me know about this.
>>>
>>> Cool_X
>>
>>
>>
>> Quoted from http://isc.sans.org/diary.php?storyid=994
>>
>> "Note: If you're still running on Win98/ME, this is a watershed
>> moment: we believe (untested) that your system is vulnerable and there
>> will be no patch from MS. Your mitigation options are very
>> limited. You really need to upgrade."
>>
>>
>> Best Regards,
>
>
> Turns out that this may not be true. Apparently the older versions of
> windows don't have a default *.WMF handler. Technically they are
> vulnerable, but for all practical purposes not. CAUTION: this will
> depend on your configuration. Here is one article that I found:
>
> http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.a spx
>
> JH

Re: Spy Sheriff - so how do people get infected w/ this thing?

on 1/3/2006 8:45 PM Cool_X said the following:
> John,
> I initially thought that article was a breath of fresh air...until I
> read the feedback.
>
> I still feel screwed because I use IrfanView and M$ Office 2000, and
> from what I read, there's no office suite, imaging program, browser or
> e-mail client that wouldn't be theoretically vulnerable. So all that
> would have to happen is an infected WMF be renamed and then it would
> automatically be viewed by whatever names itself the default. I just
> can't imagine living without all of these programs...
>

Well, the only win 98 systems I run, while connected to the internet,
are not used in a way that puts them at risk.

While noodling around on the web last night, I saw that gibson research
(grc.com) offers a utility that is advertised as safely determining
whether a system is vulnerable. I know nothing more about it than that.
I know that some folks don't care for Gibson much, but AFAIK, he is a
"good guy."

JH

Re: Spy Sheriff - so how do people get infected w/ this thing?

"Cool_X" wrote in message news:sxDuf.14366$tl.12299@pd7tw3no...

> I think that if I don't have the DLL that the sites are asking me to unregister, then I'm
> either not affected or the exploit targets different files. Could anyone clarify this one way
> or another???

The unregistering of the dll only removes one vector into the vulnerable program, it
does not completely shut off all possible vectors. The vulnerability evidently is not
limited to one program, but to many programs that work to implement the vulnerable
feature in older Windows OSes.

Re: Spy Sheriff - so how do people get infected w/ this thing?

"John Hyde" wrote in message news:11rnukup13pvpc4@corp.supernews.com...

> While noodling around on the web last night, I saw that gibson research
> (grc.com) offers a utility that is advertised as safely determining
> whether a system is vulnerable. I know nothing more about it than that.
> I know that some folks don't care for Gibson much, but AFAIK, he is a
> "good guy."

There is a subtle difference between determining if a system is vulnerable to
a given exploit and determining if a system has a given vulnerability.

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X

>If all 16-bit versions of Windows will be vulnerable

Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
family of 32-bit Windows that was developed to support Win32, Win16
and DOS programs, while the older NT family stressed reliability at
the expense of weaker Win16 and DOS support and heavier hardware
requirements. Because modern hardware meets NT's requirements and the
need for DOS and Win16 support has faded away, development of the
Win9x family ceased and NT was re-positioned to replace it as XP.



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -

Re: Spy Sheriff - so how do people get infected w/ this thing?

"cquirke (MVP Windows shell/user)" writes:

> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X
>
> >If all 16-bit versions of Windows will be vulnerable
>
> Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
> family of 32-bit Windows that was developed to support Win32, Win16
> and DOS programs, while the older NT family stressed reliability at
> the expense of weaker Win16 and DOS support

This is a useful and well stated distinction.

However, for colloquial use, I like to brush 95/98/ME under the
"unstable 16-bit goofiness" rug and avoid it all like the plague.

--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

on 1/4/2006 11:23 AM Hoosier Daddy said the following:
> "John Hyde" wrote in message news:11rnukup13pvpc4@corp.supernews.com...
>
>
>>While noodling around on the web last night, I saw that gibson research
>>(grc.com) offers a utility that is advertised as safely determining
>>whether a system is vulnerable. I know nothing more about it than that.
>> I know that some folks don't care for Gibson much, but AFAIK, he is a
>>"good guy."
>
>
> There is a subtle difference between determining if a system is vulnerable to
> a given exploit and determining if a system has a given vulnerability.
>
>

True. But for the OP, it might be helpful to know if vulnerable to the
given exploit.

Re: Spy Sheriff - so how do people get infected w/ this thing?

Hey cquirke,

Sorry to jump into this thread.
I just wanted to get your attention.
Please read my repost of a question to you in
microsoft.public.windowsxp.general
regarding a totally different subject. I think you missed it the first time
I posted it.
The subject line starts with "cquirke" and I am posting it at the same time
that I am
posting this message.

Thanks,

M.B.

"cquirke (MVP Windows shell/user)" wrote in
message news:fsmor111c6elvea6l8lj3buaf38h22mmu3@4ax.com...

>
>
>

Re: Spy Sheriff - so how do people get infected w/ this thing?

On 1/3/2006 7:39 PM, Todd H. wrote:
> Cool_X writes:
>
>
>>Todd,
>>No, I really don't think I have that DLL because I keep getting the error message:
>>
>>"RegSvr32
>>
>>LoadLibrary("%windir%\system32\shimgvw.dll") failed .
>>GetLastError returns 0x00000485."
>>
>>What missing backslashes are you talking about, and what else can I
>>do?
>
>
> the missing backslashes I mentioned were from the sans.org diary
> (their editor keeps eating them evidently), but accordingly to the
> error message you have them.
>
> Check c:\windows\system32 directory and see if shimgvw.dll is there.
> Maybe the mapping of %windir% is goofed up on your system? Dunno.
>
>
No, Win 98SE does not have this DLL.

Does not mean it's not vulnerable to the WMF hole, just not the shimgvw
exploit.

JH

Re: Spy Sheriff - so how do people get infected w/ this thing?

On 04 Jan 2006 17:53:27 -0600, comphelp@toddh.net (Todd H.) wrote:
>"cquirke (MVP Windows shell/user)" writes:
>> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X

>> >If all 16-bit versions of Windows will be vulnerable
>>
>> Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
>> family of 32-bit Windows that was developed to support Win32, Win16
>> and DOS programs, while the older NT family stressed reliability at
>> the expense of weaker Win16 and DOS support

>This is a useful and well stated distinction.

>However, for colloquial use, I like to brush 95/98/ME under the
>"unstable 16-bit goofiness" rug and avoid it all like the plague.

As you wish, but it's technically inaccurate and undermines
credibility. The "goofiness" you describe is often due to the
different design goals of Win9x (specifically, the need to allow
legacy software direct access to hardware) than any 16-bit
considerations, with two notable exceptions:

1) Resource heaps

Win9x uses new 32-bit resource heaps, but still locates some
structures within legacy 16-bit heaps to appease certain old apps that
broke the "use the documented API, idiot" rule. Reportedly, MS Excel
was one of these rogue apps.

So while it doesn't deplete heaps as fast as Win3.yuk may do, heap
issues remain a core weakness.

2) Shared VM for 16-bit apps

Win9x pre-emptively multitasks Win32 and DOS apps, each within their
own VM, but lumps all Win16 apps within a single VM that is then
pre-emptively time-sliced along with the others. Within this shared
VM, the Win16 apps are competitively (sorry, "co-operatively")
multitasked as they would be in Win3.yuk

There are two drawbacks to this. Firstly, poor multitasking is likely
between multiple Win16 apps within this VM. Secondly, any resource
heap leakage by any Win16 app cannot be cleaned up until all Win16
apps have ended, as only then can Win9x close the VM and recover
outstanding resource heap allocations (which Win3.yuk never did).


A lot of the 16-bit code within Win9x is finely-tuned, stable code
written in assembler. Re-using this code was a big factor in keeping
the OS small enough to fit within 4M RAM, and there would have likely
been more stability issues had an attempt been made to re-write this
code in 32-bit assembler.

Well-tested, stable code is something worth clinging to; failure to do
so has been mooted as the reason why Netscape died after they decided
to scrap everything they'd written and restart from scratch - costs
and testing time escalated beyond all expectations.



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Wed, 4 Jan 2006 20:32:59 -0500, "Marianne B."

>Hey cquirke,

Hi!

>Sorry to jump into this thread.
>I just wanted to get your attention.
>Please read my repost of a question to you in
>microsoft.public.windowsxp.general
>regarding a totally different subject. I think you missed it the first time
>I posted it.
>The subject line starts with "cquirke" and I am posting it at the same time
>that I am posting this message.

I'll look out for it, though that ng is so busy I might well miss it.
If I do, you can email it to me at:

cquirkenews at mvps.org



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -

Re: Spy Sheriff - so how do people get infected w/ this thing?

"cquirke (MVP Windows shell/user)" writes:

> Well-tested, stable code is something worth clinging to;

Agreed. If only it were well tested and stable.

Are you hinting that Windows 98 was stable vs win2k/xp? If so your
experience is VERY different from my own.

--
Todd H.
http://www.toddh.net/

Re: Spy Sheriff - so how do people get infected w/ this thing?

On 05 Jan 2006 09:23:32 -0600, comphelp@toddh.net (Todd H.) wrote:
>"cquirke (MVP Windows shell/user)" writes:

>> Well-tested, stable code is something worth clinging to;

>Agreed. If only it were well tested and stable.

*that* part of the code base was well-tested and stable ;-)

>Are you hinting that Windows 98 was stable vs win2k/xp? If so your
>experience is VERY different from my own.

No, not at all. NT is more stable than Win9x because it is designed
to a brief that allowed to it avoid the compromises that destabalize
Win9x. Regarding that re-used 16-bit code, the NT approach most
likely avoided the stability risks by *not* rewriting the code in raw
assembler, but doing this in a higher-level language instead, and
accepting the fact that more RAM would be required as a result.

The only place the 16-bit OS code (as opposed to other factors
mentioned, such as legacy heaps, 16-bit app multitasking, and exposure
to raw hardware access) came up as a problem, waswhen running these
OSs on the first truly 32-bit-orientated processor, the Pentium Pro.

This processor was optimised for 32-bit code, and ran 16-bit code
pretty slowly. But just as the US software industry was trying to
roll out a brave new world (NT development, OS/2, Win9x), there was a
crisis in RAM pricing and availability - and suddenly, no-one wanted
to know about OSs that needed 16M RAM.

When comparing DOS/Win3.yuk, Win95 and NT, NT ran fastest on the PPro,
DOS/Win9x ran slowest (much as it would on Pentium) and Win95 fell in
between, due to that core 16-bit code.

When PPro design was re-released for general use as the Pentium II,
the 16-bit code handling had been speeded up; that, plus the dropping
of the planned 200MHz model, helped the PII to be "faster than the
PPro" (which otherwise out-performed PII on 32-bit code, due to the
full-speed interconnect between core and L2 cache)



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Mon, 2 Jan 2006, Bruce Chambers wrote:

> R. McCarty wrote:
> > What about the latest Wmf exposure with IE ? - If I understand it
> > correctly, it requires only the visiting of an infected web site.
> > Here's an interesting FAQ on it:
> > http://isc.sans.org/diary.php?rss&storyid=994
> >
> >
>
> I never claimed that the danger didn't exist, only that it was a
> relatively rare, compared to the malware distributors who rely upon the
> uninformed or lazy consumer.

http://www.f-secure.com/weblog/archives/archive-122005.html

[snip]
: Saturday, December 31, 2005
: [3] First WMF worm found Posted by Mikko @ 18:46 GMT
[snip]
: So far, we've only seen this exploit being used to install spyware or
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^
: fake antispyware / antivirus software on the affected machines. I'm
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^
: afraid we'll see real viruses using this soon.
:
: We've seen 57 different versions of malicious WMF files so far. We
: detect them all as [13] PFV-Exploit.
[snip]

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (At the Sign of the Flashing Cursor)
"Oh how I miss the days when it was easier to catch gonorhea than a
computer virus." -- Big Will in alt.comp.virus, March 9, 2005

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Tue, 3 Jan 2006, Cool_X wrote:

[reformatted for line length]
> Just great, so this means the death of Win98 SE??? M$ could release a
> patch if they wanted to (and should, because this is a critical security
> issue), but they will use any tactic possible to force eXPensive
> upgrades. Even people who are using XP and 2000 who pirated it get a
> better update service and all critical updates like this!!!

If I find that an upgrade is really necessary in order to feel safe,
the installation CD (once I get a CD reader installed) won't be any
version of Windows but, more likely, a version of Linux.

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (At the Sign of the Flashing Cursor)
"Oh how I miss the days when it was easier to catch gonorhea than a
computer virus." -- Big Will in alt.comp.virus, March 9, 2005

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Thu, 5 Jan 2006, cquirke (MVP Windows shell/user) wrote:

> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X
>
> >If all 16-bit versions of Windows will be vulnerable
>
> Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
> family of 32-bit Windows that was developed to support Win32, Win16
> and DOS programs, while the older NT family stressed reliability at
> the expense of weaker Win16 and DOS support and heavier hardware
> requirements. Because modern hardware meets NT's requirements and the
^^^
> need for DOS and Win16 support has faded away, development of the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Win9x family ceased and NT was re-positioned to replace it as XP.

Really?

"Doctor DOS' DOS Site" (not my site) is the most popular site at my ISP:
http://www.chebucto.ns.ca/~ak621/DOS/index.html

The statistics for this month and last month:

http://www.chebucto.ns.ca/cgi-bin/urlstats?~ak621/DOS

: Number of visits to main page of /~ak621/DOS/
:
: * Yesterday: 41
: * This month: 157
: * Last month: 948
:
: Number of visits to URLs that match /~ak621/DOS
:
: * Yesterday: 23635
: * This month: 85162
: * Last month: 518878

More than half a million accesses to the site last month. There is also
DR DOS and FreeDOS. The *need* for support of *MS-DOS* is artificially
induced by Microsoft themselves.

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (At the Sign of the Flashing Cursor)
"Oh how I miss the days when it was easier to catch gonorhea than a
computer virus." -- Big Will in alt.comp.virus, March 9, 2005

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Fri, 6 Jan 2006 22:30:03 -0400, "Norman L. DeForest"
>On Thu, 5 Jan 2006, cquirke (MVP Windows shell/user) wrote:
>> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X

>> Because modern hardware meets NT's requirements and the
>> need for DOS and Win16 support has faded away, development of the
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Win9x family ceased and NT was re-positioned to replace it as XP.
>
>Really?

>"Doctor DOS' DOS Site" (not my site) is the most popular site at my ISP:
> http://www.chebucto.ns.ca/~ak621/DOS/index.html

I can think of three aspects to "DOS":

1) Running legacy apps written for DOS

This is what I wasreferring to above. In Win9x DOS apps run each in
thier own VM with Win9x asthe kernel, and that means the DOS app gets
(deep breath): native XMS, EMS, DPMS (but not UMB) memory management
including virtual memory, native LAN, mouse, CD-ROM, VESA and sound
support, dynamic disk caching and fileshare management, ability to
shell Windows apps, LFN support if the "DOS" app supports that (rare
unless it's part of Win9x DOS file set) and...er, other stuff that
I've listed before but can't remember now.

It can be suprising how well this works! Sometimes I have DOS games
that crash or don't have sound in DOS mode, that work in Win9xGUI
mode, and I could run DOS games that "need 8M RAM" in Win9x GUI with
8M RAM while leaving apps like Word open. Yes, this probably worked
by flushing everything else to disk and scaling down the dynamic disk
cache, but in DOS mode I'd have had to manually parameter SmartDrv to
use a lower memory allocation or the game would not work.

Another mind-boggling example from the first days of Win95; I ran
Terminate, which was a DOS terminal emulator that allowed arbitrary
DOS apps to be shelled while swapping itself out via its own
proprietary paging-to-disk scheme. This locked uphard in Win3.yuk,
but in Win95 it not only ran, but I could hotkey-launch Windows apps
like Excel fromwithin the DOS app, as well as choose whether to launch
DOS apps within the same window or in separate windows (and thus
seperate VMs that Win95 would pre-emptively multi-task.

But all of this beautiful compatibility also meant allowing the DOS
app to access hardware directly, and that could lock up the system,
even when the same DOS app worked in DOS mode (e.g. Lap Link 3 when
used to transfer data via parallel port). This is the stability gain
that NT enjoys, at the expense of affected DOS apps (including almost
all games) silently aborting when run within NT/W2000/XP.

When computational power and resources become n times stonger than an
old environment that is to be supported, as is the case with DOS and
XP, it may be better to emulate the environment (as if it was an alien
one, like aZX Spectrum) rather than support it directly. Not only
does this avoid the stability/compatibility (pick one) problem, the
extra power can be used to pad timings so that old apps that would
crash because timing loops overrun or RAM is "too big" and wraps
around, would be more likely to work.

2) Command Line Interface

This is what your URL is all about. The strength of the CLI is that
if you know how to do something interactively, you also know how to do
it programmatically (i.e. via a batch file). The strength of the GUI
is that if you don't know how to do something, you can bluff along
asyou go by clicking on what is offered to you.

The trouble with GUI is that if you want to automate something
programatically, nothing you have learned will help you at all. Yes,
there are "visual" macro recorders etrc. but while this approach is
great for UI design, it doesn't help with coding logic.

There are three sets of free scripting languages in modern Windows.

First, there are the WSH scripting languages, which I bounced off as
being tough to learn. You can't just jump in and do stuff, without
defining objects and blah blah blah first, and that's a learning curve
that normal batch skills do not not help you climb.

Second, there's the NT-enhanced batch language, which really goes
quite far to make this into something you can really do things with.
You can derive poath segments of an object, do string slicing, input
values from the command line and so on...but only in NT/W2000/XP.

Third, there's the original DOS batch language as implimented in
Win9x, and while this has a few nice additions (Long File Names, the
Start and Start /W commands, etc.) it's still quite limited.

CLI is alive and well in NT/W2000/XP, for all three of these languages
as well as for interactive use. When the shell gets bloated, polluted
or is just plain buggy (Win9x + IE 6), a CLI window is where you can
get things done interactively, often faster than the GUI.

3) Maintenance OS (mOS)

This is my primary concern, and the only one that requires DOS to run
asan OS, rather than as a process under Windows with Windows as the
(superior) underlying kernel.

As an OS, DOS (mode) is dying because current hardware is either
invisible to it (optical writers, USB sticks, Windows printers, NTFS)
or is dangerously incompatible with it (HD > 137G, Long File Names).

The only reason we still seek to use it, is because nothing better
exists as provided with XP. Today's premier mOS is Bart PE, but it's
non-trivial to walk someone through setting this up, along with
RunScanner and plugins for the Windows tools they'd want to use.

http://cquirke.mvps.org/whatmos.htm covers that; it was written before
I really grokked Bart, so it understates how useful Bart really is.

As OS versions evolved and users were assumed to be less and less
tech-savvy, I've watched the maintainability of Windows get
progressively worse, until it is all but unsalvangeable.

From being able to spawn bootable diskettes at will, we now have no
non-HD bootable OS at all. From interactive Scandisk we have
descended to auto-fixing AutoChk and "trust me" ChkDsk, with an UI
dating from the DOS 5 stone age. Even the paltry ability to
re-install the OS (complete with incompitencies in creating large
FAT32 violumes) is broken as soon as Service Pack is installed,
because you cannot generate a replacement up-to-date installation CD.

And when it comes to salvaging data or a complete installation, it
gets worse - XP can't survive a file-level copy from one HD to
another, PnP's itself to death if the mobo changes, will probably
refuse to work (Product Activation) in such circumstances, and there
is a dearth of data recovery and manual repair tools for NTFS.

Finally, the very common need to exclude and manage active malware is
not addressed at all. Safe Mode is less safe (i.e. runs more
integrations) than it was in Win9x, and there's no mOS to host formal
virus scanning and cleanup procedures.

By now, we have Bart, but it's not a no-brainer and is seldom
recommended here because it's "too difficult". It's like "well, you
really need surgery to remove that malignant melanoma, but that's 'too
difficult' to explain from the cosmetics counter, so try this
skin-color cream that will hide it instead".

When Vista comes out, one expects Bart to be no longer compatible;
NTFS will have grown new and structurally-undocumented "features", for
one thing. One truly hopes this time the hood won't be welded shut,
and we will have a spare wheel in the trunk - i.e. a non-HD-booted mOS



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -

Re: Spy Sheriff - so how do people get infected w/ this thing?

On that special day, cquirke (MVP Windows shell/user),
(cquirkenews@nospam.mvps.org) said...

> Even the paltry ability to
> re-install the OS (complete with incompitencies in creating large
> FAT32 violumes) is broken as soon as Service Pack is installed,
> because you cannot generate a replacement up-to-date installation CD.

http://www.helpwithwindows.com/WindowsXP/winxp-sp2-bootcd.ht ml

might help a bit.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Spy Sheriff - so how do people get infected w/ this thing?

"cquirke (MVP Windows shell/user)" wrote:
> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X
> >If all 16-bit versions of Windows will be vulnerable
> Correction: Win95xx, 98xx and ME are not 16-bit Windows. They are a
> family of 32-bit Windows that was developed to support Win32, Win16
> and DOS programs, while the older NT family stressed reliability at
> the expense of weaker Win16 and DOS support and heavier hardware
> requirements. Because modern hardware meets NT's requirements and the
> need for DOS and Win16 support has faded away, development of the
> Win9x family ceased and NT was re-positioned to replace it as XP.

Nice tale. Unfortunately it's nonsense.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Spy Sheriff - so how do people get infected w/ this thing?

On Sun, 8 Jan 2006, cquirke (MVP Windows shell/user) wrote:

> On Fri, 6 Jan 2006 22:30:03 -0400, "Norman L. DeForest"
> >On Thu, 5 Jan 2006, cquirke (MVP Windows shell/user) wrote:
> >> On Tue, 03 Jan 2006 22:58:19 GMT, Cool_X
>
> >> Because modern hardware meets NT's requirements and the
> >> need for DOS and Win16 support has faded away, development of the
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> Win9x family ceased and NT was re-positioned to replace it as XP.
> >
> >Really?
>
> >"Doctor DOS' DOS Site" (not my site) is the most popular site at my ISP:
> > http://www.chebucto.ns.ca/~ak621/DOS/index.html
>
> I can think of three aspects to "DOS":
>
> 1) Running legacy apps written for DOS
[regretful snip]
>
> 2) Command Line Interface
>
> This is what your URL is all about. The strength of the CLI is that
> if you know how to do something interactively, you also know how to do
> it programmatically (i.e. via a batch file). The strength of the GUI
> is that if you don't know how to do something, you can bluff along
> asyou go by clicking on what is offered to you.
>
> The trouble with GUI is that if you want to automate something
> programatically, nothing you have learned will help you at all. Yes,
> there are "visual" macro recorders etrc. but while this approach is
> great for UI design, it doesn't help with coding logic.
>
> There are three sets of free scripting languages in modern Windows.
>
> First, there are the WSH scripting languages, which I bounced off as
> being tough to learn. You can't just jump in and do stuff, without
> defining objects and blah blah blah first, and that's a learning curve
> that normal batch skills do not not help you climb.
>
> Second, there's the NT-enhanced batch language, which really goes
> quite far to make this into something you can really do things with.
> You can derive poath segments of an object, do string slicing, input
> values from the command line and so on...but only in NT/W2000/XP.
>
> Third, there's the original DOS batch language as implimented in
> Win9x, and while this has a few nice additions (Long File Names, the
> Start and Start /W commands, etc.) it's still quite limited.

Fourth, there is the shareware 4NT and the (now) freeware 4DOS replacement
command shells. 4DOS can be downloaded from:
http://www.jpsoft.com/download.htm#free

More 4DOS links can be found on my site at:
http://www.chebucto.ns.ca/~af380/4d.html

> CLI is alive and well in NT/W2000/XP, for all three of these languages

.... and with 4NT ...

> as well as for interactive use. When the shell gets bloated, polluted
> or is just plain buggy (Win9x + IE 6), a CLI window is where you can
> get things done interactively, often faster than the GUI.
>
> 3) Maintenance OS (mOS)
>
> This is my primary concern, and the only one that requires DOS to run
> asan OS, rather than as a process under Windows with Windows as the
> (superior) underlying kernel.
>
> As an OS, DOS (mode) is dying because current hardware is either
> invisible to it (optical writers, USB sticks, Windows printers, NTFS)
> or is dangerously incompatible with it (HD > 137G, Long File Names).
[another regretful snip]

As the "Doctor DOS" site indicates, DOS is *not* dead. The webmaster
of that site uses DOS exclusively. In fact, he doesn't even have a
single Windows machine.

(He is about to give a special presentation on the DOS command-line
interface this coming Saturday.)

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (At the Sign of the Flashing Cursor)
For Chip's Challenge type puzzles in JavaScript see:
http://www.chebucto.ns.ca/~af380/games.html#Chip2