Re: False positive?
- From: Bullseye <bullseye@xxxxxxxxxx>
- Date: Sun, 8 Apr 2007 23:50:35 -0600
On Sun, 8 Apr 2007 16:28:02 -0400, Daave wrote:
Okay, this is a new one.<Snip>
(I'm running 98 SE)
On a whim, I decided to do the Symantec online virus scan. The message:
Your computer is infected with at least one known virus or Trojan horse.
c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
---------------------------------------------------------------
I would say it is very likely there is a problem due to the fact that
Windows Messenger is very susceptible to buffer overflow problems.
From http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=26347
"Microsoft Windows Messenger Service contains a vulnerability that can
allow an attacker to cause a denial of service or possibly execute
arbitrary code. The vulnerability is due to the Messenger service failing
to validate the size of a message before processing it. Attackers can
exploit the vulnerability by sending a carefully constructed message to the
Messenger Service to overflow the allocated buffer."
From http://secunia.com/advisories/10012/ which lists this vulnerabilityas "Highly Critical":
"Microsoft has issued patches for Microsoft Windows to fix a buffer
overflow vulnerability in Messenger Service, which could lead to execution
of arbitrary code.
The problem is that the Messenger Service doesn't verify the length of
messages. This allows malicious people to send messages, which causes a
buffer overflow that may allow execution of arbitrary code.
The vulnerability only affects systems where the Messenger Service is
enabled.
The Messenger Service is disabled by default on Microsoft Windows 2003."
This could be a real problem with Windows 98 no longer being supported, as
(according to this site) patches are only available for newer systems.
However, F-Secure AV website has info on how to block this vulnerability:
"How to block buffer overflow attack
Solution / Workaround
1) Create a service definition for the Windows messaging service.
- open the IS/DFW advanced GUI
- click on the "Services" tab
- click on "Add..."
- Write description: Windows Messenger Service
- click "Next"
- Choose protocol: UDP (17)
- check "Allow broadcasts" and "Allow multicasts"
- Edit the initiator ports (click "Edit...")
- click on the entry that says 1024-65535
- in the "Range" starting field, change start value to 1.
- click "Add to list"
- remove the 1024-65535 entry, leaving only the new one
- click "OK"
- Edit the responder ports (click "Edit...")
- write 135 in the "Single" input field
- click "Add to list" and
2) Create a deny service to block this traffic:
- click on the "Rules" tab
- click the "Add..." button
- choose "Deny"
- define a rule name, e.g. Inbound Windows Messenger traffic
- click "Next"
- make sure "Any IP address" is checked and click "Next"
- check the Windows Messenger Service you created in 1)
- mark it as inbound (by clicking the question mark until the inbound arrow
is shown)
- click "Next"
- choose "No alert" (or alerting if you want) and press "Next"
- click "Finish"
You are now protected."
I hope the little bit of info I've provided helps in some way.
--
Posted via a free Usenet account from http://www.teranews.com
.
- Follow-Ups:
- Re: False positive?
- From: Daave
- Re: False positive?
- Prev by Date: Re: Avast vs AVG vs NOD32?
- Next by Date: Re: What Antivirus prog uses the lowest resources.
- Previous by thread: Re: False positive?
- Next by thread: Re: False positive?
- Index(es):
