IMPORTANT: WMF Vulnerability Exploited

Heeter

Overclocked Like A Mother
Joined
8 Jul 2002
Messages
2,732
http://www.theinquirer.net/?article=28590



Aaargh! Updated No fix for Windows XP SP2

By INQUIRER staff: Wednesday 28 December 2005, 12:11
F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering..............................






Heeter
 
Re: Windows zero day nightmare exploited

Workaround until the patch is released:

According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
 
Re: Windows zero day nightmare exploited

Yeah, this is an ugly one. Already seeing people who are getting infected by it.
 
Re: Windows zero day nightmare exploited

Someone should create a trojan that just does this command....

regsvr32 /u shimgvw.dll :)
 
Re: Windows zero day nightmare exploited

An anti-trojan trojan. I like it. :D
 
Re: Windows zero day nightmare exploited

Wouldn't be the first time.
 
Re: Windows zero day nightmare exploited

anti-trojan_scanner.PNG
 
Re: Windows zero day nightmare exploited

A bit scary, that as of yesterday there were already 50 variants :(
 
Re: Windows zero day nightmare exploited

:bandit: this is more scary
/BOOT!
 
Re: Windows zero day nightmare exploited

kcnychief said:
A bit scary, that as of yesterday there were already 50 variants :(
That number seems to be going up rather quickly. 73 variants have been identified as of today.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
http://www.eweek.com/article2/0,1895,1907102,00.asp
 
Re: Windows zero day nightmare exploited

so now i know what my website was trying to do.
it was redirecting me to a wmf file...

im a little freaked out.. i hope the fallout isnt too severe... the site i run is a recreational soccer site.. since its the offseason, i dont imagine their being more then a handful affected.

thanks for the updates guys
 
Re: Windows zero day nightmare exploited

This one is a pest to remove, I just cleaned it off of 4 PC's at my cousins, who have refused/neglected to use Firefox in the past. Now IE is set to HIGH security, and Firefox is their default browser. No choice this time.
 
Re: Windows zero day nightmare exploited

Kr0m said:
My processor doesn't support it. :suprised:
Athlon64's and Intels with EM64T only.
 
Re: Windows zero day nightmare exploited

Temporary Fix Until MS comes out with a patch:

Only applies to any WinXP32/64bit, not tested on any other OS.

Read about it here

And Here

Download


J79ZLR, I think the problem lays within Windows, It's not a situation that Firefox can avoid.




Heeter
 
Re: Windows zero day nightmare exploited

I just turned on NX.

Too bad that the ones at work don't have it save one. But there is no one there that will be browsing the web till tuesday. And they all have AV, and I will be adding the sites and ports to the reject connection list.

But think about all the soccer mom's and dad's who don't have a thing but the expired McAffee trial and Windows firewall mebey. High speed connections, and no protection. Lets take off our hats in a moment of silence for them.
 
Re: Windows zero day nightmare exploited

Heeter said:
Temporary Fix Until MS comes out with a patch:

Only applies to any WinXP32/64bit, not tested on any other OS.

Read about it here

And Here

Download


J79ZLR, I think the problem lays within Windows, It's not a situation that Firefox can avoid.




Heeter

Firefox 1.5 does NOT open WMF files by default without interaction. IE does and so does Opera. Of course you need to unregister that dll for now until MS decides that this problem is actually worthy of a fix.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back