The Digital Rag
Real World Information in a Virtual World
Sign Up!
Login Welcome to The Digital Rag
Tuesday, February 07 2012 @ 01:34 PM PST

Happy New Year - another worm

Tuesday, January 03 2006 @ 03:08 PM PST

Contributed by: Richard Pitt

Newsletter PostingsUpdated Jan 4, 15:30
 As I've written before - be very wary of opening or viewing images sent as Christmas, New Years, Birthday or other greetings.

There is another new exploit out there now that shows up as only an image file - and doesn't even need to have the ".jpg" or ".bmp" or other normal file extension on it to propagate if you are running Windows XP - so you can't even tell by the name of the file!
I've been watching the evolution of the latest (dubbed WMF) exploit of Windows for the past week but have not had a chance to write about it until now. The exploit is one that affects any access to image files (Windows Media File or WMF) of any kind. It hinges on one or more of the library programs in the operating system (DLLs) that deal with images for virtually every facility on the computer.

The suspect programs (so far) are:
shimgvw.dll
gdi32.dll
These programs are used by Internet Explorer, Word, Excel, and other "integrated" tools, including the file manager when for example it creates a "thumbnail" image for showing in the file manager.

They also deal with images for many add-on programs, specifically things like MSN's IM (Internet Messaging) - where there is a report of a file being passed around (Xmas-2006 FUNNY.jpg) that links to an HTML page with a malicious WMF file which installs a Trojan and a Backdoor program that turns your machine into a zombie (BOT) for sending out all manner of nasty stuff to others.

Note that most of the anti-virus programs now have detectors for this exploit, but if your system only updates every week or so (and why have you left it like that - it should now be daily!) then you can be vulnerable.

  • Follow up

    I don't normally send two of these in a single week, let alone a day - but this is urgent!

    My last post was about the WMF exploit - well reading more at http://isc.sans.org/ published at 11:50 PST today has told me that this exploit is really nasty and has multiple "in the wild" sites and examples already and getting more all the time.

    As an example, McAfee has announced that 6% of their customers have been infected - and that is a LARGE number!

    They (ISC) have issued an unprecedented "trust us" message that strongly suggests not waiting until Microsoft does something and/or the anti- virus companies do something.

    I trust them - and in turn I hope you trust me. If you have any questions about this, please phone me at the number below for confirmation!

    Please read their FAQ at: http://isc.sans.org/diary.php?storyid=994

    ISC suggests two things:

    1 - "unregister" the affected DLL

    2 - use the unofficial patch found at: http://handlers.sans.org/tliston/wmffix_hexblog13.exe which can later (when Microsoft finally does something) be uninstalled from the Add/Remove programs utility on the Settings page.

    Detailed instructions are in the above noted FAQ. You can cut/paste the correct method to unregister the program directly into your "run" command line.

    I've patched and unregistered my Windows systems (yes, I really do have a couple around :)

    Update

    According to Microsoft, they will come out with an official patch for this problem with their regular "second Tuesday" patch roundup on January 10. In the mean time they say:
    "Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."

    right! Don't go anywhere new - and trust that any place you DO go won't be compromised.

    Nope - my strong suggestion is to apply the unofficial patch NOW and remove it (and install the official one) on Tuesday next week.

    For those who didn't do what I suggested before because it didn't "look" like a proper patch, there is now a version of the unofficial patch for the WMF vulnerability that looks and acts like a patch

    The new version also detects whether any previous version has already been installed, so go ahead and try again if you don't remember (you ARE keeping notes on what you do on your systems, aren't you :)

    The official notice of the new version of the patch is at: http://isc.sans.org/diary.php?rss&storyid=1010

    • Story Options

    Trackback

    Trackback URL for this entry: http://digital-rag.com/trackback.php/20060103150855974

    No trackback comments for this entry.

    0 comments

    What's New

    Stories

    No new stories

    Comments last 2 days

    No new comments

    Trackbacks last 2 days

    No new trackbacks

    Older Stories

    Thursday 15-Sep


    Saturday 10-Sep


    Tuesday 30-Aug


    Saturday 20-Aug


    Thursday 18-Aug


    Sunday 14-Aug


    Thursday 04-Aug


    Tuesday 02-Aug

    ?

    Ads by Clickochet

    G+ Public Posts

    There was a problem reading this feed (see error.log for details).
    ?

    G+

    ?

    Facebook Page

    RSS Feed

    Richard's Digital Rag

    Poll

    How do you like to find out news about the internet and computers?

    •  Newspaper
    •  Radio
    •  TV
    •  Web Search
    •  Favourite Web Site(s)
    •  Pod Cast
    •  Video Online
    •  Email List(s)
    •  RSS - Syndication
    •  Word of mouth
    This poll has 0 more questions.
    Results
    Other polls | 28 votes | 0 comments