AntiRealityHero
12-29-2005, 05:35 AM
There is a major exploit travelling across the Internet that can potentially infect ANYONE running versions of Windows 2003 or Windows XP Home/Professional.
Edit: According to an online source, ALL 32-bit versions of Windows are vulnerable. That's Windows 95 to Windows XP.
Description:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
NOTE: Exploit code is publicly available. This is being exploited in the wild.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
In Internet Explorer, the exploit is immediately triggered upon loading an infected webpage. If you think you're safe running Firefox or Opera instead of Internet Explorer, you're not (only less likely to trigger it), as these files can be downloaded to your cache and run from your temporary files.
Read on for some ways to protect yourself. Note that the bolded suggestion should be the only necessary precaution needed. However, if you suspect that you have already been infected, continue to the other tips.
For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds. They will reduce your chances of getting infected, but they will not eliminate it.
1.
1) Click on the Start button on the taskbar.
2) Click on Run...
3) Type "regsvr32 /u shimgvw.dll" to disable.
4) Click ok when the change dialog appears.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE. However, it is not the most elegant fix. You’re probably going to have all kinds of problems viewing images.
But, no biggie: Once the exploit is patched, you can simply do "regsvr32 shimgvw.dll" to bring back the functionality.
And, it is a preventative measure. If you are already infected, it will not help.
2. Scan your computer - *There are some reports that this program caused Windows to freeze. Install at your own discretion* NOD32 Trial Version (http://www.eset.com/download/trial.htm) (update definitions right away after installing - they auto-update but you want to be sure you have the latest)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it (yet) and Symantec's own site says that it never may due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. NOD32 has been tested and its AMON on-access scanner stopped the image as soon as it was saved to the cache.
3. Change file associations for WMF files.
An equally ugly fix (but perhaps preferable) is to do the following:
1) Go to My documents, Tools, Folder Options, File Types.
2) Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly, but it is a fix.
4. Run IESPYAD.
IESpyad is a free tool that puts block lists into IE’s restricted sites zone. It’s managed by Eric Howes, who works as a consultant for Sunbelt. We regularly update him with the latest URLs. Click here (https://netfiles.uiuc.edu/ehowes/www/main.htm).
Edit: According to an online source, ALL 32-bit versions of Windows are vulnerable. That's Windows 95 to Windows XP.
Description:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
NOTE: Exploit code is publicly available. This is being exploited in the wild.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
In Internet Explorer, the exploit is immediately triggered upon loading an infected webpage. If you think you're safe running Firefox or Opera instead of Internet Explorer, you're not (only less likely to trigger it), as these files can be downloaded to your cache and run from your temporary files.
Read on for some ways to protect yourself. Note that the bolded suggestion should be the only necessary precaution needed. However, if you suspect that you have already been infected, continue to the other tips.
For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds. They will reduce your chances of getting infected, but they will not eliminate it.
1.
1) Click on the Start button on the taskbar.
2) Click on Run...
3) Type "regsvr32 /u shimgvw.dll" to disable.
4) Click ok when the change dialog appears.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE. However, it is not the most elegant fix. You’re probably going to have all kinds of problems viewing images.
But, no biggie: Once the exploit is patched, you can simply do "regsvr32 shimgvw.dll" to bring back the functionality.
And, it is a preventative measure. If you are already infected, it will not help.
2. Scan your computer - *There are some reports that this program caused Windows to freeze. Install at your own discretion* NOD32 Trial Version (http://www.eset.com/download/trial.htm) (update definitions right away after installing - they auto-update but you want to be sure you have the latest)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it (yet) and Symantec's own site says that it never may due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. NOD32 has been tested and its AMON on-access scanner stopped the image as soon as it was saved to the cache.
3. Change file associations for WMF files.
An equally ugly fix (but perhaps preferable) is to do the following:
1) Go to My documents, Tools, Folder Options, File Types.
2) Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly, but it is a fix.
4. Run IESPYAD.
IESpyad is a free tool that puts block lists into IE’s restricted sites zone. It’s managed by Eric Howes, who works as a consultant for Sunbelt. We regularly update him with the latest URLs. Click here (https://netfiles.uiuc.edu/ehowes/www/main.htm).