WMF Vulnerability patch for win98 etc., REALTIME LOG

Discussion in 'Computer Security' started by Peter, Jan 5, 2006.

  1. Peter

    Peter Guest

    Decided to install it. For the patch see:

    http://www.nod32.ch/en/download/tools.php

    Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    Note that I installed it to a non-default folder. The key thnig to note
    is the line:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

    This causes the patch to run on bootup (as intended).

    regards,

    Peter//


    **************REALTIME LOG OF INSTALL OF WMFPATCH from
    nod32.ch******************

    Installation report: Install
    (generated by INCTRL 4, version 1.1.0.0)
    Install program: E:\Download\FileTemp\Install.exe
    Thursday, January 5, 2006 05:18 PM
    Windows 98se
    Notification by Real-time reporting

    NO CHANGES MADE TO c:\windows\win.ini...

    NO CHANGES MADE TO c:\windows\system.ini...

    NO CHANGES MADE TO c:\windows\control.ini...

    REGISTRY KEYS ADDED: (1)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    - WMF Patch

    REGISTRY KEY VALUES ADDED: (3)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    - WMF Patch\ DisplayName=GDI32 - WMF Patch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    - WMF Patch\ UninstallString=D:\PROGRAMS\WMFPATCH\UNWISE.EXE
    D:\PROGRAMS\WMFPATCH\INSTALL.LOG
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

    FILES ADDED: (7)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    D:\PROGRAMS\WMFPATCH\UNWISE.EXE
    D:\PROGRAMS\WMFPATCH\GDIHOOK.DLL
    D:\PROGRAMS\WMFPATCH\INJECT.EXE
    D:\PROGRAMS\WMFPATCH\INSTALL.LOG

    FILES DELETED: (10)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    C:\WINDOWS\TEMP\~GLH0000.TMP
    D:\PROGRAMS\WMFPATCH\~GLH0001.TMP
    D:\PROGRAMS\WMFPATCH\TEMP.000
    D:\PROGRAMS\WMFPATCH\~GLH0003.TMP
    D:\PROGRAMS\WMFPATCH\~GLH0005.TMP
    C:\WINDOWS\TEMP\GLJ1290.TMP
    C:\WINDOWS\TEMP\GLC1290.TMP

    FILES CHANGED: (1)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    C:\WINDOWS\APPLOG\APPLOG.IND

    DIRECTORIES ADDED: (1)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    D:\PROGRAMS\WMFPATCH

    DIRECTORIES DELETED: (2)
    ---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    D:\PROGRAMS\WMFPATCH
    ---by process D:\PROGRAMS\WMFPATCH\INJECT.EXE
    C:\WINDOWS\TEMP\INJECT.MADEXCEPT

    ***********END************************************
     
    Peter, Jan 5, 2006
    #1
    1. Advertising

  2. Peter

    Guest

    On Thu, 05 Jan 2006 18:50:28 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    >Decided to install it. For the patch see:
    >
    >http://www.nod32.ch/en/download/tools.php
    >
    >Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    >Note that I installed it to a non-default folder. The key thnig to note
    >is the line:
    >
    >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    >
    >This causes the patch to run on bootup (as intended).
    >
    >regards,
    >
    >Peter//
    >


    Does it need to run all the time, or is it a run once?
    So you're saying you have to change that line to how you have it or it
    wont work?


    >
    >**************REALTIME LOG OF INSTALL OF WMFPATCH from
    >nod32.ch******************
    >
    >Installation report: Install
    > (generated by INCTRL 4, version 1.1.0.0)
    >Install program: E:\Download\FileTemp\Install.exe
    >Thursday, January 5, 2006 05:18 PM
    >Windows 98se
    >Notification by Real-time reporting
    >
    >NO CHANGES MADE TO c:\windows\win.ini...
    >
    >NO CHANGES MADE TO c:\windows\system.ini...
    >
    >NO CHANGES MADE TO c:\windows\control.ini...
    >
    >REGISTRY KEYS ADDED: (1)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    >- WMF Patch
    >
    >REGISTRY KEY VALUES ADDED: (3)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    >- WMF Patch\ DisplayName=GDI32 - WMF Patch
    >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
    >- WMF Patch\ UninstallString=D:\PROGRAMS\WMFPATCH\UNWISE.EXE
    >D:\PROGRAMS\WMFPATCH\INSTALL.LOG
    >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    >
    >FILES ADDED: (7)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >D:\PROGRAMS\WMFPATCH\UNWISE.EXE
    >D:\PROGRAMS\WMFPATCH\GDIHOOK.DLL
    >D:\PROGRAMS\WMFPATCH\INJECT.EXE
    >D:\PROGRAMS\WMFPATCH\INSTALL.LOG
    >
    >FILES DELETED: (10)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >C:\WINDOWS\TEMP\~GLH0000.TMP
    >D:\PROGRAMS\WMFPATCH\~GLH0001.TMP
    >D:\PROGRAMS\WMFPATCH\TEMP.000
    >D:\PROGRAMS\WMFPATCH\~GLH0003.TMP
    >D:\PROGRAMS\WMFPATCH\~GLH0005.TMP
    >C:\WINDOWS\TEMP\GLJ1290.TMP
    >C:\WINDOWS\TEMP\GLC1290.TMP
    >
    >FILES CHANGED: (1)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >C:\WINDOWS\APPLOG\APPLOG.IND
    >
    >DIRECTORIES ADDED: (1)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >D:\PROGRAMS\WMFPATCH
    >
    >DIRECTORIES DELETED: (2)
    >---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
    >D:\PROGRAMS\WMFPATCH
    >---by process D:\PROGRAMS\WMFPATCH\INJECT.EXE
    >C:\WINDOWS\TEMP\INJECT.MADEXCEPT
    >
    >***********END************************************


    --
    _____________________________________________________
    For email response, or CC, please mailto:see.my.sig.4.addr(at)bigfoot.com.
    Yeah, it's really a real address :)
     
    , Jan 6, 2006
    #2
    1. Advertising

  3. Peter

    Peter Guest

    lid wrote:
    >
    > On Thu, 05 Jan 2006 18:50:28 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    > >Decided to install it. For the patch see:
    > >
    > >http://www.nod32.ch/en/download/tools.php
    > >
    > >Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    > >Note that I installed it to a non-default folder. The key thnig to note
    > >is the line:
    > >
    > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    > >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    > >
    > >This causes the patch to run on bootup (as intended).
    > >
    > >regards,
    > >
    > >Peter//
    > >

    >
    > Does it need to run all the time, or is it a run once?
    > So you're saying you have to change that line to how you have it or it
    > wont work?



    That line is a registry setting which loads the patch on every win98
    boot. So it runs all the time that win98 is running.

    But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.
    But it uses absolutely minimal resources, so I leave it running all the
    time.

    BTW no WMF exploit has yet been discovered for win98. But it's only
    prudent to install this patch IMO.

    Peter//


    <snip>
     
    Peter, Jan 6, 2006
    #3
  4. Peter

    Guest

    On Fri, 06 Jan 2006 10:44:45 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    >> >Decided to install it. For the patch see:
    >> >
    >> >http://www.nod32.ch/en/download/tools.php
    >> >
    >> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    >> >Note that I installed it to a non-default folder. The key thnig to note
    >> >is the line:
    >> >
    >> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    >> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    >> >
    >> >This causes the patch to run on bootup (as intended).
    >> >
    >> >regards,
    >> >
    >> >Peter//
    >> >

    >>
    >> Does it need to run all the time, or is it a run once?
    >> So you're saying you have to change that line to how you have it or it
    >> wont work?

    >
    >
    >That line is a registry setting which loads the patch on every win98
    >boot. So it runs all the time that win98 is running.
    >
    >But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.
    >But it uses absolutely minimal resources, so I leave it running all the
    >time.
    >
    >BTW no WMF exploit has yet been discovered for win98. But it's only
    >prudent to install this patch IMO.
    >

    Ah, that's what I like to hear :)
    Seems 9x is immune to most XP/2k exploits these days.
    Nice excuse for "progress" with them eh?! But, what do you expect from M$
    I guess.
    Makes me wonder why you don't hear of people "downgrading" more, or going
    to Linux or Mac more.

    So will the reg. line addition work for 95 too?
    I've got one running that. Dunno if I'll install it if it may slow it
    down, it's already slow enough, but I'd like to know in case any exploits
    become known.
    --
    _____________________________________________________
    For email response, or CC, please mailto:see.my.sig.4.addr(at)bigfoot.com.
    Yeah, it's really a real address :)
     
    , Jan 10, 2006
    #4
  5. Peter

    Peter Guest

    lid wrote:
    >
    > On Fri, 06 Jan 2006 10:44:45 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    > >> >Decided to install it. For the patch see:
    > >> >
    > >> >http://www.nod32.ch/en/download/tools.php
    > >> >
    > >> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    > >> >Note that I installed it to a non-default folder. The key thnig to note
    > >> >is the line:
    > >> >
    > >> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    > >> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    > >> >
    > >> >This causes the patch to run on bootup (as intended).
    > >> >
    > >> >regards,
    > >> >
    > >> >Peter//
    > >> >
    > >>
    > >> Does it need to run all the time, or is it a run once?
    > >> So you're saying you have to change that line to how you have it or it
    > >> wont work?

    > >
    > >
    > >That line is a registry setting which loads the patch on every win98
    > >boot. So it runs all the time that win98 is running.
    > >
    > >But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.
    > >But it uses absolutely minimal resources, so I leave it running all the
    > >time.
    > >
    > >BTW no WMF exploit has yet been discovered for win98. But it's only
    > >prudent to install this patch IMO.
    > >

    > Ah, that's what I like to hear :)
    > Seems 9x is immune to most XP/2k exploits these days.
    > Nice excuse for "progress" with them eh?! But, what do you expect from M$
    > I guess.
    > Makes me wonder why you don't hear of people "downgrading" more, or going
    > to Linux or Mac more.
    >
    > So will the reg. line addition work for 95 too?
    > I've got one running that. Dunno if I'll install it if it may slow it
    > down, it's already slow enough, but I'd like to know in case any exploits
    > become known.


    Newer OSes tend to have more remote networking capabilities. Hence, if
    programmers slip up, more remote networking hacks!

    Advice I follow is to stick with win98se for internet. Use XP only for
    offline work as necessary. Dual boot is pretty easy [Google on win dual
    boot] FYI on a test system without firewall: XP -- 45 seconds to infect
    (!!) 98se -- much longer (I've seen misconfigured firewalls on win98se
    PCs that were not infected after 3 months+)

    As for win95 and this patch: don't know for sure. But as the patch is
    easily uninstalled, why not give it a try?
     
    Peter, Jan 10, 2006
    #5
  6. Peter

    Guest

    On Tue, 10 Jan 2006 23:31:41 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    >> >> >Decided to install it. For the patch see:
    >> >> >
    >> >> >http://www.nod32.ch/en/download/tools.php
    >> >> >
    >> >> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.
    >> >> >Note that I installed it to a non-default folder. The key thnig to note
    >> >> >is the line:
    >> >> >
    >> >> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    >> >> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe
    >> >> >
    >> >> >This causes the patch to run on bootup (as intended).
    >> >> >
    >> >> >regards,
    >> >> >
    >> >> >Peter//
    >> >> >
    >> >>
    >> >> Does it need to run all the time, or is it a run once?
    >> >> So you're saying you have to change that line to how you have it or it
    >> >> wont work?
    >> >
    >> >
    >> >That line is a registry setting which loads the patch on every win98
    >> >boot. So it runs all the time that win98 is running.
    >> >
    >> >But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.
    >> >But it uses absolutely minimal resources, so I leave it running all the
    >> >time.
    >> >
    >> >BTW no WMF exploit has yet been discovered for win98. But it's only
    >> >prudent to install this patch IMO.
    >> >

    >> Ah, that's what I like to hear :)
    >> Seems 9x is immune to most XP/2k exploits these days.
    >> Nice excuse for "progress" with them eh?! But, what do you expect from M$
    >> I guess.
    >> Makes me wonder why you don't hear of people "downgrading" more, or going
    >> to Linux or Mac more.
    >>
    >> So will the reg. line addition work for 95 too?
    >> I've got one running that. Dunno if I'll install it if it may slow it
    >> down, it's already slow enough, but I'd like to know in case any exploits
    >> become known.

    >
    >Newer OSes tend to have more remote networking capabilities. Hence, if
    >programmers slip up, more remote networking hacks!
    >
    >Advice I follow is to stick with win98se for internet. Use XP only for
    >offline work as necessary. Dual boot is pretty easy [Google on win dual
    >boot] FYI on a test system without firewall: XP -- 45 seconds to infect
    >(!!) 98se -- much longer (I've seen misconfigured firewalls on win98se
    >PCs that were not infected after 3 months+)
    >

    Personal test, or one you saw? I remember hearing similar, like 2min,
    just outrageous! XP is just a disgrace. I shutter to think how bad the
    next version they'll inflict on the world will be.

    When I get multiputers up like I want, I think I will definitely be doing
    as you do, 98SE and XP only when necessary and offline.

    >As for win95 and this patch: don't know for sure. But as the patch is
    >easily uninstalled, why not give it a try?


    Laziness? heheheheh

    Oh, BTW, have you seen a d/l warning from the site at top saying "no
    security certificate" bla bla? I told my mother to install it (uses XP
    despite my advise, like the rest of the sheep ;) and she said that's what
    it gave. I didn't want to be responsible for telling her it was ok unless
    it was normal, and verified ok anyway.
    I don't pay a whole hell of alot of attention to those, but you never
    know.

    --
    _____________________________________________________
    For email response, or CC, please mailto:see.my.sig.4.addr(at)bigfoot.com.
    Yeah, it's really a real address :)
     
    , Jan 21, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    48
    Views:
    1,428
    Bill Tuthill
    Jan 10, 2006
  2. Jack

    Encountered WMF Vulnerability

    Jack, Jan 1, 2006, in forum: Computer Support
    Replies:
    10
    Views:
    720
    C. DelPlato
    Jan 2, 2006
  3. Rob J

    Windows WMF Vulnerability Patch Released

    Rob J, Jan 6, 2006, in forum: NZ Computing
    Replies:
    6
    Views:
    405
    Rob J
    Jan 7, 2006
  4. Dianthus Mimulus

    Patch issued for OpenOffice.org WMF vulnerability

    Dianthus Mimulus, Jan 5, 2007, in forum: NZ Computing
    Replies:
    0
    Views:
    531
    Dianthus Mimulus
    Jan 5, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,427
    Giuen
    Sep 12, 2008
Loading...

Share This Page