Thanks. I didn’t test the “double clicking” aspect of it (I’ll try that later). As I said, the original exploit doesn’t use the method of “double clicking” - you merely have to browse the malware files.
I might have to give a step-by-step guide as to how to test this exploit, as it’s not straight-forward. Furthermore, people have reported it doesn’t work, and I’m fairly sure it’s because they haven’t tested it properly.
I am not so much worried about this exploit, it will be fixed by MS or even now by measures described above, what worries me more are those signed malware…
I have two valid digitally signed malware, droppers precisely, first signer is some Chinese company and second is Lavalys which is on default trusted list in CIS, fortunately both malware are detected by CIS AV, but for sec. one if AV disabled there is absolutely no prompt from CIS on execution…
here, VT links:
http://www.virustotal.com/analisis/aaf6176c09fba22b5bcc2e363868c4bf5e175cdc4efcfa076fe7b0286a949526-1278112389
I’m not sure, but exploits like this (maybe not quite as interesting haha) happen just about everyday I thought? And sometimes it’s nice to know that your personal setup can block it, even though you’re probably never going to come across it!
I’m sure people would appreciate this, or you can just tell me because for some reason it is not working on my system. Alll I get is an error.
Here you go:
you need http://live.sysinternals.com/Dbgview.exe to see exploit
http://www.wilderssecurity.com/attachment.php?attachmentid=220072&d=1279524860
got it, problem was I was not placing the files in the C: folder.
Yes, I made the same mistake initially, hence why it took me a couple of days to get testing haha.
and result? CIS 5 passed?
I can’t say at this point in time, hope you understand. :-X
A stupid solution, as the malware needs to hit the C: partition:
install your OS under whatever other letter (only Win9X denies such an option).
That would only prevent this specific POC from working. I’d imagine it would be easy to configure the POC (or malware) to run off any drive letter.
Oh! yeah please do not worry!
Sure “they” will eventually… hehe ! 
fix this & that - they just recently confirmed another security hole , which was 17 years old (!!!) … hope you know about that one ?
& Comodo will fix this & that App. by App. with its sandbox
…anyway , who cares?!
as the Genius said: “The Torture Never Stops” Oh Gd!! Rest His Soul In Peace!!! we will never have anyone like him ever(!!!) , despite I am not a religious person by any means!!!
…listen to the real music & have fun with new strain malware 
Cheers!
and it is not so old…
P.S. thanks for Frank Zappa video :-TU
That’s a PDF exploit.
But it uses mentioned technique for propagation, here is windows feature ;D , which is used for exploitation Creating Column Handlers - Win32 apps | Microsoft Learn
As observed, simply browsing the 2 poc files is not enough to make a dbgview report, and you have either to right or left click, reducing somewhat the threat, notably in the second event (why would one want to do that?)
I have added lnk and tmp files to the defense+ protected files list.
There are two ways to stop the malware (xp pro, cis v3, proactive, firewall custom, defense+ paranoid).
The first one is “generic” and not very realistic: you have to know before being attacked by the malware that, depending if you right click or left click the suckme file, it will be loaded either by explorer or rundll32, and you have of course no way to know that, next time, other executables might be involved if the malware doesn’t involve a specific dll.
If you set in defense+ explorer and rundll32 to ask for everything, you of course shall be warned of everything happening, including the malware loading.
But you shall have so many alerts that you might not see the “good one”, and it is moreover very uncomfortable.
Another way is quite as uncomfortable, at least temporarily, as it won’t ask any “normal” thing anymore once the learning process is achieved.
It is enough to set image execution in defense+ to agressive.
In these last conditions, left or right clicking the suckme me thing clearly warns you that rundll32 or explorer wants to execute dll.dll, and even before the end of the learning process, you have no reason to allow a dll with such a dubious name.
Note that either right or left clicking the dll.dll file of the poc doesn’t report anything (and of course, whatever left click is intercepted by the system, complaining it does not know how to open a dll file).
The turnabout is of course that it is very tedious and requires a very good knowledge of normal windows process.
Taken as examples, you need in these conditions to allow 6 or 7 permissions to run dgbview, more than 10 to run a random choosen link (registrar lite) or 15 to reach this forum from Firefox.
True, and since it’s a windows “feature”, Microsoft will have a hard time “patching” it. I wonder if the attackers read Didier Stevens’ blog to help them create their malware haha.
That’s not what I found. From my testing in a freshly installed Windows XP, all you need to do is browse the 2 POC files. Are you sure you are testing it properly?
I made the test another time and obtained the same results.
Either you clicked instead of browse by some inadvertance, either some of my settings kept the mechanism to occur, but nothing extraordinary: i don’t think cis settings are involved (and there’s no reaction whatsoever by only browsing), and xp sp3 pro is standard excepting some services and buit-in softwares disable either manually, either with xplite.