WARNING: MAJOR NEW Windows VIRUS - NOT a hoax

I am no computer geek by any stretch of the imagination, but this is something that we ALL need to do for our computers to keep them as safe as possible until Microsoft releases a security patch. I'm going to try and keep this as short as possible, to help avoid confusion. Do check the links I've provided to satisfy yourself.

This vunerability is specifically related to WMF images files, but is not limited to those image files only. I won't go into all of the details. Reading all the links I've provided should help you understand more.

I first heard about this vunerability on the MSNBC website (12/30/05) and thought, "OK, MS will issue an update soon...." Yeah.RIGHT! {/snark}

Microsoft scrambles to fix 'severe' security flaw

Then last night a diary at Daily Kos was posted and has grown to over 270 comments, and I decided to act. Feel free to wade through it, but if you don't want to take the time right now, and just want the temporary fixes (until MS gets their act together) this is what you'll need to do:

1) You'll need to un-register a .dll file, then
2) Install a small patch provided by Ilfak Guilfanov (This patch will later be removed through your Windows Add/Remove Programs when MS issues their patch, and you'll more than likely need to register the dll again)

There are a few sites you can check for the seriousness of this MS flaw:
http://www.f-secure.com/weblog/
http://www.grc.com/sn/notes-020.htm
http://www.hexblog.com/2005/12/wmf_vuln.html

After pretty much reading everything, this is what I did for my computer (and my son's):

Click Start, then Run. In the dialog box type:
  
regsvr32 -u %windir%\system32\shimgvw.dll   Click OK

NEXT:

Download and install this 284kb patch from Ilfak Guilfanov (Direct Executable file):

http://www.hexblog.com/security/files/wmffix_hexblog13.exe



You can also download it directly from Ilfak's web blog:
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

He also has a WMF vunerability checker that you can use either before or after you've made your fixes:
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Bookmark any of these sites to keep abreast of on-going news.

Lastly, if you don't want to do anything now, at least stay away from unknown websites, no IM'ing or Windows Messaging with images (I don't use either), and for God's sake don't open or view unknown email with images in them.

Also, could you keep this kicked for awhile, so everyone gets a chance to see it? Posts drop so quickly in this forum. *sigh*

Thanks. I'm going to do my updates pronto.

:7

:thumbsup:

"messinging with images" etc. Don't most websites have images?

Here's what I get:

Account for domain hexblog.com has been suspended

Perhaps the fellow just got overwhelmed from anxious users????

In peace, and thanks...

Radio_Lady

where the file is available.

Steve Gibson's site is widely known and OK for those who are uncomfortable with lesser known sites. http://www.grc.com/sn/notes-020.htm

CastleCops is also legit and the author of the patch apparently is hanging out now there since his blog is down. They've set up a forum on the subject where he's one of the mods. See here: http://castlecops.com/f212-Hexblog.html

Didn't see your reply here, until after I posted mine (worthless as it is - LOL) further down.

Thanks for keeping on top of this.  :)

all you have to do is run the program written by Ilfak Guilfanov

:shrug:

So there you go, I guess.

However, I read that both actions should still be done, and if I can find where I read it, I'll post the link.

BTW, I only checked through recent posts to make sure this is not a duplicate. If this issue has already been addressed - then nebbermind.

switching to Linux. Try Mepis and leave the greasy kid stuff to the kids.

bit easier.

And the expertise to know when, where to get them, and how and where to apply them.

Not really a viable option anyway. If one has Windows already, and one has paid the hefty license fees, one is already committed. Besides, how many of these files are around anyway? I'll tell you. Almost none.

Much ado about nothing.

maintain. Linux used to be a chore for the user, but that has changed.

OSX is a BSD based OS, and patching is infrequent and easy. It's been over a month, maybe two months since there has been a need for an update. The last time I saw a problem with the Mac was an auto run worm with QuickTime 3. All you needed to do is turn off auto run. With Linux, I can't remember anything that was a serious concern. I was running Linux on a PPC platform, so if there was any problem with Linux, it was even less a concern on the PPC builds.

On Linux all I needed to do is hit the update button, click through a question or two, then sit back. Not any harder to deal with than Software Update on the Mac.

My Linux box (an iMac) is on loan to a friend. That was over a year ago and he hasn't had a lick of trouble.


BTW

Just heard that KDE 4 will run Dashboard Widgets.

Yeah if I ever want to do a few things and add that extra layer of obscurity I have a few rather rare architecture boxes lying around just for that purpose. I'm thinking of making a cellbe my next purchase if and when I have money to waste on CPUs again. That'll probably buy me 2 or three extra years of virus protection :-)

(And on EDIT: Debian-based distros -- definitely. Worry free cross-architecture maintenance. Can't beat it.)

Never liked RPM.

The Cellbe, isn't that a mobile phone?

Info here:

http://www-128.ibm.com/developerworks/power/cell/

And yes:

http://www.bsc.es/projects/deepcomputing/linuxoncell/cbexdev.html

When will someone build a cluster of Linux powered cellphones?

the NetBSD project has created a tool, like Debian's apt called pkgsrc.

It's easy enough to keep up to date i could teach my mom to do it :D

(the first step? stop fearing the command line.)

As long as we chirp up and say, hey ya know, you might just maybe want to take the plunge, we're one of those freaky opportunistic evangelical fringe Internet movements.

But when they actually get frustrated without being told about it, then they'll remember oh yeah, there's other OSes out there, maybe I'm sick of these monthly three hour virus cleaning sessions and not so horribly attached to my ability to make my icons into bouncy smilies.

I'll save my snobbery for use on them later when they pick a really bad distro. :-)

I won't Wine. I just... won't. No, no, 1000 times, no.

Not for games, anyway.

Your avatar says you want 'em to. ;)

I did - about a year and a half ago.

http://www.mozilla.com/

Download Firefox, people. It's soooooooo much better than IE. You can do much, much, much more with it, too.

Unless Avant's radically changed since I last used it, it's an IE shell which is still IE at its core. You're still essentially using IE. It's just got a different user interface with additional functions.

From Avant's FAQ:

"Is Avant Browser a secure browser?

Yes, Avant Browser is secure. Since it's based on Internet Explorer, Avant Browser is as secure as Internet Explorer." http://www.avantbrowser.com/faq.html

Have been using Firefox and Thunderbird (email client) for nearly a year. It's wonderful.

using Mozilla or a third party browser alone doesn't protect against all avenues of infection.

ZoneAlert is as well.

you'll need a third-party OS, not just a third party browser. Or apply the unofficial patch and hope it holds up until MS effectively addresses the problem.

Linux has just as many and often more bugs than Windows. It's the number of Windows installations that makes this news. Viruses of this scale would be a problem if Linux had 95% market share as well.

I don't want to confuse anyone in case my recollection of what I saw re: this virus is off. It's confusing enough out there without me helping! Just read stuff from reputable sites. I was working today so couldn't re-read stuff yet. Thanks.

is available. I have not read anywhere that the un-registering of the dll will cause the patch to fail, so if you have a link that specifically says that, could you post it?

My pc at home may be infected (it's disconnected and off, currently) and I'm curious. I'll take these steps regardless, of course.

Internet Storm Center that should help answer some of your questions:
http://isc.sans.org/diary.php?storyid=994

malware downloaded may not be particularly new in themselves, it's the method of exploiting the recently found vulnerability that is new. Think of it as a "dropper," a malware that once it gains entry to the OS drops other malware. Basically, the bad guys have found a new vehicle/method for getting malware into one's PC. (Hope that makes some sense.)

a leap of faith (it is after all DU) I ran the checker, came up positive, then downloaded and ran the hot patch.

Back on line after a restart. No problem. Only discernible result is it erases history (like Stimpy and his red button).

I'm running Windows XP 64 bit.

I'm assuming you're using Firefox? I just downloaded it last night, and need to get my learning curve started. *yuk* But all for a good reason, so gonna start the pill swallowing shortly.

Seriously. Even if you have no interest in switching permanently, you can install Firefox and run it until MS patches this hole. Firefox is still SLIGHTLY vulnerable to this bug, but at least it prompts you instead of just installing the spyware. When you hit a website that wants to install new software, just click NO and you'll never get infected.

MS will probably have a patch out in a few weeks, and there's no way of knowing how this do-it-yourself patch will affect the official patch when it's finally released. If the patch assumes that certin services are registered and you've unregistered them manually, it may simply fail to install. Worse, the odds are almost zero that the patch will re-register the DLL after patching, and you'll have to UNDO everything this do-it-yourself patch does after performing the system update.

Homebrew workarounds may solve the problem in the short term, but I recommend avoiding them as they tend to cause other problems down the road. Installing Firefox and simply avoiding IE for a few weeks is a much simpler, and safer, alternative.

In this instance, I don't believe the browser itself is the problem, from what I've been reading.

Not enough that I, a firefox user, am willing to trust that alone.

but emails, instant messaging, and thumbnail images in Windows Explorer.  At least that's my understanding.

But you're right - from what I've read FireFox is better, which is why I've decided to get off my butt and start to shake of the chains of IE.

My plan is (since I've already taken these two steps), and before I download the MS patch when it becomes available, is to:

1) Re-register the .dll
2) Uninstall Ilfak Guilfanov patch
3) Install the MS Windows patch

are not working this evening (if you're still around at all). I just PMed you about this. Thanks anyway.

Account for domain hexblog.com has been suspended

I'm not exactly sure what happened, or why. Could be that MS got pissed off, the note at the server is in error, or his bandwith may have been exceeded - or something else.

If it's a prolonged shutdown, then I suggest checking either http://www.f-secure.com/weblog or http://www.grc.com/sn/notes-020.htm for updates.

Also, I previously saved the patch to my harddrive, along with his vunerability checker.  If anyone wants the patch, and can't download it, PM me (along with your email address) and I'll be happy to send it to you.

Google desktop is vunerable to this. it is a windows problem, not a browser problem.

vulnerability which can also be exploited via email, downloading files from IM/IRC, etc. people should not think that changing browsers alone will be a sufficient remedy. I myself use Opera so I'm not trying to dissuade anyone from switching from IE to FF or another third party browser. But they should be aware using FF or Opera alone does not protect them from exploit of the OS via other methods. (Or if they are sloppy and accept a download via their browser. And the infected image may masquerade as a .jpg for example rather than a .wmf so simply filtering .wmf's may not help against exploit.)

Also, although it has been widely recommended, people should also know that unregistering the SHIMGVW.DLL does NOT provide absolute protection since the vulnerability is elsewhere in the OS and exploits out now do not need that .dll to run. Doesn't hurt to do it although it does impair some minor functionality in viewing graphics, and it is recommended as another temporary mitigating measure, but it's not an absolute cure since there are exploits that work around it.

For those who have hardware DEP available on their PC's with XP SP2, setting it to protect all programs does help as long as you do not use a viewer, third party like Irfanview or otherwise (MS), to view graphics. The Kaspersky folks found that even using Irfanview to view an infected graphic would defeat hardware DEP protection. Software only DEP is not an effective protective measure.

Also, running as a limited user does not appear to provide protection against this system exploit.

There are increasing variants of the initial exploit, so people should check on how their AnitVirus is doing in keeping up with them. (The average user likely at most will have an AV. Some at better at detection than others IMO but by now they all should be addressing this in some fashion. I've recommended BOClean antitrojan app as a user friendly set and forget program to augment one's use of an AV. Another poster recommended Processguard http://www.diamondcs.com.au/processguard/ which is a good app but I'm not sure how an average PC user would take to it. It's only for W2K, XP and W2003 systems.)

While I too share concerns about installing a patch (frankly even when it's from MS or a noted third party) without checking out the pros and cons, FWIW Steve Gibson, among others like SANS for example, recommends use of the unofficial patch as the best remedy currently available to address the OS vulnerability: http://www.grc.com/sn/notes-020.htm As noted, it should be removed prior to installing whatever patch MS eventually comes out with to prevent potential conflicts. As when downloading any patch, official or even official from MS, one should read up on it to see if there are any downsides or unintended consequences. Here's a thread at BBR's security forum on the unofficial hotfix: http://www.broadbandreports.com/forum/remark,15152503

At any rate, people should be aware that simply changing browsers alone and/or even unregistering SHIMGVW.DLL does not afford them sufficient protection against the various means of exploit to an essential MS OS vulnerability. If it were only that simple it would be great. Unfortunately, it's not that simple. I'd recommend using Firefox (or another member of the Mozilla/gecko family) or Opera rather than IE for a variety of reasons and general better security against browser exploits. But this is not simply a browser vulnerability, it's an OS vulnerability that changing browsers alone does not completely address.

That was a very nice, easily understandable summation!

:yourock:

having a good day, LOL.

It's been not easy for even tech folks (and I'm not a techie) to get a handle on, especially with new malware coming out to get around the various recommended security measures. So it's not a static situation. There's an underlying Windows OS vulnerabilty (that goes deeper than the shimgvw.dll) and until that open door is truly closed by MS some of the various recommended measures one sees are limited in their effectiveness against the growing numbers of malware that seek to exploit the underlying vulnerability.

It may be that the unofficial hotfix itself will need further revision as people refine their malware to try to defeat it. So for anyone who does apply it, it's probably best to keep an eye on the hotfix site as well as other security related sites to see the latest status.

and I appreciate your input.  :toast:

I'm also glad this has made it to the GP. At least now more DU'ers will see it, and be forewarned, even if they decide to do nothing.  Also, I won't have to keep babysitting this by kicking it.

see #119 for links to slide presentations that include commentary re Firefox and other browsers and where the ultimate vulnerability in Microsoft Windows OS is (gdi32.DLL).

http://news.zdnet.com/2100-1009_22-6011406.html



Keith’s Barbeque Central

At least that's what I interpreted from the MS page on this issue.

I'm using AVG anti-virus (which does daily updates) and I haven't even checked their site to see if they've addressed the issue. That's the next item on my to-do list.

You might want to visit McAfee and see what they say about it specifically. Do visit the links I've provided and check up on it yourself as well.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760

They consider the threat LOW, and I imagine it's because not many people still use WMF files. HOWEVER, the problem that I see is that these WMF files masquerade as other image files with a .jpg or .gif extension, which the user feels comfortable with.

Having said that, at least McAfee is aware of it, and has updated it's definitions to include it, though I still don't think it's enough. Sometimes we have to do things for ourselves and be a little more proactive.

Another thing - I'm sure that Ilfak Guilfanov has a virus protection programs as well.  That he is still using his temporary fix anyway, says alot.

Also, here's what Steve Gibson-GRC says:

Not.

I love my Mac!

:kick:  to keep on main page today. If I begin to annoy you, let me know, and I'll stop.

Thanks for the how-to's and the what if's and whys!

is on top of this.

and I'm disappointed to say I didn't find any references to it on their:

Grisoft AVG Homepage or on their
Top Threats page

Sure doesn't make me feel real secure, or maybe I'm just not seeing it on their pages.

On Dec 30 AV-test.org ran tests for publication in a German online mag. Various AV's were tested against 73 variants of the exploit. Bear in mind it was a snapshot in time and since then there likely have been some improvements among AV's against those specific 73 variants originally tested, although no doubt there are now far more than 73 variants out in the wild. Dec 30 test results in English here: http://www.eweek.com/article2/0,1895,1907102,00.asp

German site with a Dec 31 update here: http://www.heise.de/newsticker/meldung/67848

Some AV's are just faster off the block in addressing new threats with their virus/malware signature definitions. And some AV's additionally are better at utilizing heuristic detection to address "zero day" exploits. Signature definition based protection is by nature reactive and after the fact. A good AV combines both good heuristics and quick development of signature definitions.

is looking to cover each occurence after-the-fact? So maybe some of the updates I'm getting cover some of what may be "out there", but apparently they're not catching as many exploits as some other vendors have done?

You don't need to answer that Garbo - I'm just sorta talkin' out loud.

Anyway, I wish AVG would address the issue on their website with some sort of statement. However, considering this is a free complete program I'm using, I guess beggars can't be choosers.

Anyone know if this browser is vulnerable? (I hope to buy a Mac as soon as I win the lottery) :7. Thanks,
dumpbush

issue per se. Netscape is part of the Mozilla family as is Firefox, Mozilla etc. See remarks above which address why just a nonIE browser in itself alone does not provide sufficient protection against the underlying OS vulnerability.

that they typically use for such tests but the commercial version

If it were only the free product, well that's one thing one might say. But the commercial product isn't qualitatively different from the free product in terms of detection, at least the last time I checked. I use the free AVG for my not often used laptops and I personally like the product, but bear in mind they're charging around $40 for the full product and the testing orgs typically test the commercial product, not the free version. Oy. For that kind of money, Grisoft should do better IMO, considering its competition.

There are many different mutations of the exploit code and AV manufacturers may not be able to keep up. I've installed the temporary work around fix from Ilfak Guilfanov just to be safe.

Right after I pay my PGE bill of $250 for last month (never mind the new one and the phone bill too), figure out who to rob this month to pay a bit on our uninsured medical bill, while we wait a week or so to start a new job we've contracted for. You know, stuff like that.  Then I'll be sure to get right on it.

I don't mean to be snarky, but sometimes we can't always buy what we know we need or should have, and need to make the best of what we do have.

I did the recommended actions, and ran the checker...seems ok so far. I checked for *.wmf files on my computer. The only ones I have are associated with microsoft office, and are 4 years+ old. I did not open any of them, so I'm not sure what they are. Is is safe to open these and look at them, or should they be deleted, or are they benign, or...????

Thanks!

Personally, I wouldn't open them, no matter how old they are, but that's just me. I'm sure they're OK though, considering they're that old. And if they're legit, serves no purpose to delete them. After all, they may be necessary for MS Office later.

Maybe Garbo can clarify better than I.

And it's not just graphics with the extention of .wmf, but could be masquerading as .jpg's or .gifs. Obviously you're not gonna want to delete any or all of your graphic files. If you know what the file is already, then there's no problem, otherwise just wait it out until MS comes through with their patch.

Do bookmark some of the websites mentioned in this thread, and visit them periodically until MS gets off the can - just so you know what's going on. And don't forget to keep your virus definitions up-to-date, on a daily basis, if possible.

for saving a bunch of us from major headaches w/ this!
And Happy New Year

and a VERY HAPPY NEW YEAR to you as well!

know what it is. I figure they're OK but I'm not particularly interested in poking them with a stick at the moment, LOL. MS Office apparently comes with a crapload of .wmf files. (I just searched on my XP box that has Office XP.)

Run Linux and you don't have to worry about them.

Running Linux boxes for over ten years. No viruses so far.

until the world catches up with Linux, and we all become informed users such as yourself and others, we'll just have to make do with what we have. Sometimes it doesn't pay to be in the majority.

'Course when Linux becomes THE OS of the majority, I may just decide to keep my Windows.  I'm sure there will be less viruses for me then.   :o)

...you'd be better off running a more obscure Linux/UNIX distro than running windows -- when the crackers finally turn all eyes towards Linux, they'll target the most popular distro, which will likely be the one that turns on every bell and whistle to woo users, with no regard for security. More deliberate and disciplined distros will likely be safe.

those who ARE running Windows now and want to know what to do now to try and protect their existing systems against this specific vulnerability.

I mean, Firefox RULES! Now PLEASE guys, make a program SO I CAN SHITCAN WINDOWS ALREADY!!!!!!!

Lu

You people and your cute "operating" systems!

Says the site uses "an outdated encryption method currently classified as insecure. It cannot sufficiently protect sensitive data." Speaking of "cute." This site apparently takes donations online?

and have bookmarked this thread.

On a minor gripe, and this isn't pointed at the OP, but at some of the responders - I dislike this Windows-bashing. I think, to be honest, a good deal of it is down to a sort of snobbery. The fact is that hackers and other malefactors don't target Microsoft - they target stupidity. Most viruses and so on are targeted at Microsoft because most computers run Microsoft operating systems, and the aim of most hackers is to cause a stir and make mischief. Changing your system to Opera or Linux from Windows may be relatively easy, but it requires a level of technical knowledge that is off-putting to casual home and office users. Ditto for browsers. And the reason windows is prefered for most office environments is precisely the thing that makes it a bit vulnerable - it's promiscuous.

If 90% of the world's computers ran Linux and Firefox, 95% of the world's viruses would be written for Linux and Firefox. The rarity of those programs is their best defence.

I've used a variety of systems, and spent a good chunk of my professional life working on a succession of lovely Macs, and I have to say that if given a choice I would happily choose XP Professional and Explorer. They are good programs - problematic, but good. Longhorn looks like it will be a disappointment, but meh. Expecting perfection in computers is foolish.

Microsoft's monopoly position is another matter - if you could choose OS when you bought your computer, and were properly informed about that choice, we'd see their market share drop dramatically. I would support that approach. But that's not solely Microsoft's fault - it's also the fault of the builders and retailers. (And the consumers, for that matter.)

(Isn't it odd how loyal people become to their OS? A real love/hate thing.)

opted for functionalities over security.

The fact is, the bad guys DO indeed target both Microsoft platforms and stupidity, and sometimes the "stupidity" is not just that of the users but also of MS. For example, I understand that MS has said that in future versions of Windows it will finally once again de-integrate IE from its OS (you know, what it told the Justice Dept years ago it simply couldn't do, which was pure bollocks then and now). Integration of IE with the OS was one of the worst things MS has ever done in terms of security. Which is one big reason why third-party browsers like Firefox and Opera have gotten a bigger user base in recent years. But unfortunately when it is not simply a browser vulnerability but an OS vulnerability, even third party browsers cannot provide adequate protection against exploit of the OS.

And while Linux isn't entirely without potential vulnerabilities (shock, horror) there are significant differences that do make it less subject to much of the crap we see with MS systems. It's not entirely simply a matter of obscurity and market share. (Linux is also used in many commercial internet servers for example, hardly a particularly obscure application of the OS.) Linux, not being dependent on proprietary hardware like Macs, is an increasingly viable option that merits a look for those who may be so inclined. (At one point I think I recall, WalMart---yeah, I know, the horror that is WalMart---was marketing Linux boxes for around $500.)

That said, this thread is to help those who currently have MS systems with a current issue. Telling people to buy a Mac or switch to another OS may be something for some to consider in the long term, but for right now in the immediate present that's not much help to users who may not be in a position to do so right now or even in the near future. And somehow I rather doubt the folks who glibly post these kinds of remarks, with or without the smirks, ho hums, and giggles, are doing so primarily in order to be "helpful."

(And btw, Opera is a browser, not an operating system. ;) )

I assumed "OP"era - operating system. D'oh! Thanks for doing your bit in teh war on teh stupid.

I found this thread jolly helpful, and it's nice to have a chat about the relative merits of different software. As I said earlier, most of my non-PC experience is on Macs, and I prefer XP to OS9. I found OS9 crashed more than XP, and worked more slowly. There are also a variety of ease-of-use issue I had with Macs that are a matter of taste and not worth boring you with - althought I'll say this, I far prefer the Ctrl key in the bottom corner rather than using an Apple command key by the spacebar.

Also, in terms of malware, I would have thought it would be better to attack off-the-shelf domestic PCs rather than commercial servers because it won't get picked up - you know, the whole "zombie machine" thing. But I don't really know what I'm going on about.

Anyway. Call me a stick-in-the-mud.

snobbery, which they'll deny, than make it so I never wish to try those OS's. Quite the opposite. I've never had a problem with my OS. If I were Mozilla, Firefox etc...I would try a heavy handed advertising approach to combat the damage done by their users. :hi:

It's all a metter of personal taste and requirements, so naturally people's opinions vary. I'm certain that there are many people out there using Windows who might prefer anoher system. But it's really nothing like as bad as some people make out - and the Macs I used weren't any better. I installed Firefox on my desktop to give it a try and didn't see any great benefit; in fact, I found it somewhat harder to use. But it is just a taste issue.

What's curious is how loyal people become to these systems. I think it's fascinating. (It affects Microsoft customers as well, so no one is safe ;) ) To me, the objectionable thing is the suggestion that you're a stupid drone or ill-informed because you use XP or whatever. (Not that that applies to anyone on this thread.) And the high expectations that people have. Most people happily put up with bad TV reception or other devices that glitch out on them, such as mobile phones, but expect more from computers. Maybe because they're more expensive. But they are far more complicated and thus more prone to errors. Hell, I can't even remember what make my TV is.

:hi:

I have Spybot and Ad-Aware (both in the free versions). If some malware does get dropped onto my computer, will either of those programs find it and remove it?

variety of payloads (malware) that may be dropped. I certainly wouldn't rely on them for that purpose. I haven't kept up on either product within the last couple years but neither are Antivirus or AntiTrojan programs.

I'd say you cannot and shouldn't rely on these apps as a substitute for a good antivirus program, if that's what you're trrying to do. Even Kaspersky (considered one of the primo AV's in the AV world with staff and expertise to support it) has had to do some doubletime quick work to deal with this exploit and its subsequent variants.

Ideally, the aim is to prevent the malware from getting onto your PC in the first place. A good AV most likely can do that. And consider applying the hotfix if it's suited for your particular Windows system. But cleanup of malware, once it's on and executed on one's PC is rarely a simple matter. That's something I'd leave to the experts and I seriously doubt either of the apps you mention qualify in either preventive or cleanup capacities when it comes to trojans, which essentially is what would likely be installed by the exploit. But I think both products still have support forums so you should check them out and determine that for yourself.

Message removed by moderator. Click here to review the message board rules.

I apologize for the inconvenience.

Skinner
DU Admin

I appreciate you're unlocking the thread.<p>

I missed your reply (darn!) and reconsideration. Would it be possible to add at least another hour on the Greatest page (so more people can see it)?

malicious site or "force" someone to open an email attachment they say.

Yet most common exploits rely on social engineering. Phishing emails don't tell folks up front, we're crooks and if you click on this link and we'll take you to a bogus site and trick you into giving us your CC info. Phishing works, despite warnings to be wary. People continue to open email attachments. Or click links in email that could take one to a "malicious site." Think of the usual vectors for infection, IM chat, file sharing, etc. Yes, following good security practices is always recommended. But how many of the millions and millions of users do?

But unfortunately the possible means of exploit can be less obvious than an email that says "to see hot babes in action click here."

From SANS WMF FAQ:

"Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past." http://isc.sans.org/diary.php?storyid=994

Ever been to a website that's been "owned" and defaced? I recall once when some of Microsoft's servers were hacked. (Apparently they'd hadn't gotten around to installing their own patches, IIRC.) It was a hoot, MS was embarassed, but it was also an illustration: "trusted" sites on occasion may not be clean. There are other possibilities.

What concerns some security folks is that a site (in the interest of research they say) posted basically a "how to" on exploiting the MS vulnerability. So basically even not particularly skilled kiddies could help themselves.

Ironically, MS issued a patch for a .WMF vulnerability in November. Obviously it didn't really do the job. And MS of course does not encourage folks to use a publicly scrutinized third-party patch even if it appears to work, unlike the patch MS issued in November. But not to worry, MS is on the case and will issue a patch next week. They'll get it right this time. They say.

From the link that tiptoe provided above (here again):
http://www.msnbc.msn.com/id/10684853



Well gee, no kidding!  But in the meantime, we can't even use a *wood* shield before the *official* one arrives?

We're supposed be left defenseless until MS deigns to release a patch with their "regular" updates in a week? And that, they say, is if the damn thing works!



I'll bet.

FIFTY SIX security patches for Windows XP Pro SP2.
FIFTY SIX! 56 Five-six

How do I know thia? Because MS is too stupid to offer a cumulative patch, and since something is fucked up with my registry on one of computers at work (MINE DAMMIT)that gives me an uncorrectable error on the update site which I have been working with MS for 3 WEEKS EVERY DAY NOW to correct, and have no hope to, I know the fix count.

Solution? Clean load (always MS's final answer) or DL each fix. I do not have time to reinstall every damn piece of software I have, some of it is legacy and cannot be reinstalled...etc etc. I can batch the DL's for the fixes, but DAMN, MS makes it difficult to have a normal work life.


And no, we cannot migrate to Mac OS, as much I would like to, so no shaming me there.

:wtf:

Frankly, that bugs me more than their stupid data-segment execution hole.

What intelligence sources? Who and what are they? What are their capabilities? What data are they collecting? Are they responsible to any legal oversight? Are they affilliated with the federal government? Do they share data with the federal government?

If these sources are so damned intelligent, maybe they should be put to work writing solid software instead of surveilling their user base.

http://news.zdnet.co.uk/internet/security/0,39020375,39245447,00.htm

"Mikko Hypponen, director of antivirus research at F-Secure, said that he believes corporations can trust the unofficial patch, developed by security software developer Ilfak Guilfanov.

"This is a very unusual situation — we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly sucessful," said Hypponen.

The Internet Storm Center admitted that many businesses would be very reluctant to deploy an unofficial patch on their systems, but insisted that such drastic action is needed.

"We've received many emails from people saying that no-one in a corporate environment will find using an unofficial patch acceptable," said Tom Liston of the Internet Storm Center, in his blog. "Acceptable or not, folks, you have to trust someone in this situation."

and quote. It will go a long way to ease the apprehension of users.

Virus take advantage vulnerabilitys or social engineering.

Having said that, Im sure that a Virus's have already been written to take advantage of this bug/vulnerability.

When they actually start showing up/spreading is the question (and whether or not you get patched before then!)

Other than my moderate nit, good info and thanks for sharing.

but I can't edit the post now.

OTOH, the word 'Virus' does seem to attract more viewers than the word "Vunerability" - besides 'Virus' is shorter.  :)

BTW, the exploits have already started showing up.

I am a computer professional so please please please...

The WMF flaw is real but PLEASE FOLKS, don't take fixing instructions directly from the DU website.

Use the Microsoft website, or Symantec website, or McAfee or one of the well known and respected AV/ASW websites. Go directly THERE and follow the instructions AS WRITTEN THERE.

I'm highly suspicious when I see stuff like this on a non computer website like DU:

"Download and install this 284kb patch from Ilfak Guilfanov (Direct Executable file):

http://www.hexblog.com/security/files/wmffix_hexblog13....

You can also download it directly from Ilfak's web blog:
http://www.hexblog.com/security/files/wmffix_hexblog13....

He also has a WMF vunerability checker that you can use either before or after you've made your fixes:
http://www.hexblog.com/2006/01/wmf_vulnerability_checke... "

I mean I've never heard of Guilfanov.. sorry but this is often the way VIRUS's get INSTALLED - not REMOVED. It's called a social engineering attack.

Doug D.
Orlando, FL

provided in my post, or throughout the thread? Did you even read any of the posts, besides mine?

Obviously you don't know me from jack, but believe me when I say I'd hardly be posting links that would put anyone at risk.  I also said that readers didn't have to do anything if they didn't want to.

At the very least Microsoft itself has, at the minimum, suggested the unregistering of the .dll

Click on the Suggested Actions Link:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Do some more research, and then tell me I'm wrong to put out the heads-up and a workaround.

Terre:

I just think it's bad practice to get people in the habit of taking their fixes from unofficial sites like this and it will lead to more social engineering attacks than it cures.

I get e-week and I know the WMF problem is real. I just never heard of our Russian friend before and I'm pretty leery of going to strange websites for software patches. If e-week tells me to visit our Russian friend, then I'll do it.

Call me a software conservative..

Democratically Yours,

Doug D.
Orlando, FL

and I hear where you're coming from. Actually, I don't completely disagree with you - up to a point.

However, I know you haven't followed through by checking out any of the information provided by the links (and not just mine). Sometimes you have to do your own research, and not depend on others to tell you what is right, and what is not - what to do, what not to do.  Sorta sounds like what we keep telling the wingnuts to do, doesn't it?

Anyway, to get you started, here's a Google research page regarding Ilfak Guilfanov:
http://www.google.com/search?hl=en&q=Ilfak+Guilfanov&btnG=Google+Search

If you have any respect for F-Secure check the related post here:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

Or if you know of, and respect Steve Gibson, do check his GRC site:
http://www.grc.com/sn/notes-020.htm

PEACE  :hippie:

I would still say that it would be good to refer people to well known sites however rather than try to give tech support here at DU. I will go and read it shortly.

Thanks,

Doug D.

(note: this blog is dated 12/31 and refers to an early version of the patch.)

Independent Patch For WMF Bug

I AM NOT RECOMMENDING THAT ANYONE ACTUALLY APPLY THIS PATCH (should I do that, I might feel responsible in some way), but this is interesting stuff:

Ilfak Guilfanov in his hexblog has released a patch that blocks the code sequence used by the the WMF exploit. It's a facinating approach; it's a DLL that gets injected into all processes which load USER32.DLL, and patches the Escape() function in GDI32.DLL. As a result, the exploit's use of the SETABORT escape sequence doen't work anymore. It only works for Windows XP SP2 and XP 64-bit. Of course, there may be legitimate uses of the SETABORT escape sequence, so they would be busted too.

If I wrote such a patch you'd be totally nuts to install it, but I'm no Ilfak Guilfanov. As F-Secure notes in their writeup on the patch, "He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world."

Ilfak also recommends that once a real patch is available from Microsoft you should uninstall this one and install theirs.
posted @ 10:40 PM | Feedback (2) http://blog.ziffdavis.com/seltzer/archive/2005/12/31/39650.aspx#FeedBack
-----------------

Apparently others have heard of Guilfanov, even if you haven't.

They're familiar with Guilfanov's work and have vetted the patch he authored. Or IDA Pro? (another of his works: http://www.datarescue.com/idabase/ )

Check the info available at SANS, links above. And at F-Secure: http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

and I'm not even half as knowledgeable as you are!  Every little bit helps I suppose.  LOL

Thanks again for your help and support.  Hopefully, not many people will be affected during the upcoming week, and that's assuming MS tests it's patch to their satisfaction.  That they're leaving users to fend for themselves for the next week, is frankly, despicable.

publically scrutinized (by security professionals) bits of software out there at present. It's from a known reputable source (at least he's known to some IT professionals, that is).

Now I understand that folks are leery, but they should check out who's vouching for it, whether there are reports of any ensuing problems, and then make their own decisions. Now of course MS doesn't vouch for the patch. But recall that MS' previously issued proprietary patch in November, no doubt downloaded and installed by most without question, proved to be ineffective.

I was just on another board where a poster who previously had been adamant that he would not install the third-party patch because it wasn't blessed by MS today announced that he'd gotten a "leaked" version of the official MS patch and posted the damn thing telling folks to download it 'cause it was the "real deal." Don't know where he got whatever it was he had and I bet he didn't have the skills with which to examine it either or even tried to. Idiot. Now THAT's social engineering. Fortunately the board's mods removed it quickly.

But the vulnerability is real and time is in part the issue: how many people have adequate AV protection and relatively safe computing habits and how quickly are exploits propagating in ways that people, cautious or otherwise, might have their PC's infected? People shouldn't panic, but they should be aware and make informed choices about what they choose to do to protect their systems before the official MS patch is issued. Hopefully threads like this provide the kind of info for folks to do just that. :)

But you make a good point. I too hesitated and am going to wait this one out.

GRC mirror:
http://www.grc.com/sn/notes-020.htm

The author of the patch is also posting in a forum here and there is a mirror link at the top:
http://castlecops.com/f212-Hexblog.html

A discussion about the patch can be found at DSLreports:

http://www.dslreports.com/forum/remark,15152503

Normally I would never install an unofficial patch. However since there is no workaround and this one is verified by every tech person/group that is legit and trustworthy, I went ahead and installed it.

I just feel that this issue is too important to wait until an official fix. Simply unregistering the dll doesn't protect you. YMMV

WMF FAQ (Courtesy from SANS - Internet Storm Center)
Take your pick:

Links at site:
http://computerworld.co.nz/news.nsf/PrintDoc/B4714903757E6CBECC2570EB001286D4

WMF flaw can't wait for Microsoft fix, researchers say
By Peter Sayer, Paris | Wednesday, 4 January, 2006

Users of the Windows OS should install an unofficial security patch now, without waiting for Microsoft to make its move, advise security researchers at The SANS Institute's Internet Storm Center (ISC). Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an email message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure say. Even though the file is labelled as a JPEG, Windows recognises the content as a WMF and attempts to execute the code it contains.

Microsoft advised on 28 December that to exploit a WMF vulnerability by email, "customers would have to be persuaded to click on a link within a malicious email or open an attachment that exploited the vulnerability."

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen writes in the company's blog. In addition, source code for a new exploit was widely available on the internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers say.

(snip)

Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC web site. "We have very carefully scrutinised this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston writes in the diary. "You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston writes.

1) do we re-register shimgvw.dll before downloading MS's patch?

2) do we deinstall the wmffix_hexblog14.exe before downloading it?

edited to add link to MS's patch page
http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

edited, also, to add info from hexblog.com

"I urge everyone to download and install the official patch.
You do not need my hotfix anymore.
If you have previously installed it, please uninstall it now.
It can be uninstalled before or after applying the official patch
from the Add/Remove Programs window. "

Castlecop's admin said that the .dll can do it post-patch.

So, I've found answers to my questions.

Most of All:

Many thanks to DUers for all the information.