December 28, 2005
Malicious Website / Malicious Code: Zero-day IE .WMF Exploit
************************************************************
A screen....
***********************************************
Posted on 12/28/2005 2:55:03 PM PST by Ernest_at_the_Beach
This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/
Websense® Security Labs™ has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages.
We are currently tracking thousands of websites distributing exploit code from iFrameCASH BIZ. A similar zero-day vulnerability being exploited by this entity was discussed earlier this month:http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364
There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.
(Excerpt) Read more at websensesecuritylabs.com ...
Another one.....
According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program (on) fully patched Windows XP SP2 machines. The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.
I don't understand why they keep calling this a browser exploit. It is strictly a Windows exploit. How the malicious WMF file is downloaded is irrelevant.
What? Your not supposed to enter your info?
LVM
December 28, 2005
Malicious Website / Malicious Code: Zero-day IE .WMF Exploit
************************************************************
A screen....
***********************************************
This one may fool some people!
A simple way of dealing with this until the patch is released is to change the .WMF file type to invoke something other than Windows Fax and Picture Viewer until this issue is resolved.
AVG finally removed the virus from my computer.( I think).
I quit using ie because of that virus, downloaded firefox. It looks like the new AVG download takes care of winfixer 2005.
Ping!
This is an example of how P.U.S. (AKA "Greyware") vendors are using known and unknown exploits combined with deception to install code.
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv
Hope it works for you........I got this crap with Firefox.
Not only "strictly a Windows exploit", but apparently also limited to XP w/ SP2.
I guess I'll just have to turn my new firewall settings up another couple of notches (I'm running 2000 Pro SP5), knock off surfing for a bit and go shut off my daughter's XP setup. (Lord, I'm tired of debugging that computer!!)
I got it by using "save image as".
Now im upset that firefox can bring it back.
Try AVG free virus killer. It can't hurt, anyway.
This has been building for a month or so.
I'm beginning to think that the best option for most people would be a dual-boot system with Windows and Linux. Run Windows for the gaming and the applications that aren't available on Linux and run Linux for internet browsing, e-mail, etc.
Another option is to use a cheap machine solely for the net and keep the important computer off the net or behind a secondary firewall -- only using the net for system updates and browsing extremely trusted sites.
Microsoft Windows WMF Handling Arbitrary Code Execution
***********************
|
||||||||||||||||||||||||||||||||||||||||
I've been saying that for awhile also....not many people listening though!
or if you're just using your computer for web, email, mp3s, photos, etc. Get a mac mini for $500 and stop worry about all the spyware and viruses.
I'd imagine Javascript/ActiveX would need to be enabled for web sites to exploit the bug in IE but it doesn't say other than unregistering shimgvw.dll. That file doesn't even show up in Windows 98SE so I'm not sure if that OS is vulnerable, it appears to be XP and Windows 2003 Web Server only.
Yep...I run Debian Linux. Win-XP runs in VM-Ware on my workstation. I never touch the net with XP.
This kind of stuff is gonna drive a lot of people to Macs!
Take a look at the link to the Washington Post and tell us if that is the workaround describe there..
I would doubt they would even check Windows98.
Start - Run - regsvr32 /u shimgvw.dll
Thanks!
Aha! That is what I was working to remove from my boss' home computer. They use XP Home, but were running IE BUCK-NAKED! No firewall, no antivirus, no spyware protection, no nuthin. They just signed up for broadband and within an hour they were sporting that second photo of yours. The yellow picture on the black background is an overlay on the desktop.
If people would just read the screen they would not go much further. Bad grammar and misspelled words (see the screen shots above) should tip you off that you shouldn't click there.
We do computer repairs - it amazes me at the people who bring their computers in every month (and pay us 49 bucks) to get this crap removed. They click and download EVERYTHING! If it's free it MUST be OK!
We take in at least 490 bucks a week for this stuff.
Some folks just never learn or they don't want to learn.
Of course I am assuming that people who own computers will be able to determine bad grammar and misspelled words. Maybe I give too much credit....
bttt
ROFL!
See #27!
fyi
I think it disables the Microsoft Picture and Fax viewer, which allegedly is used to infect you computer.
AVG rules!!!! Been using it for almost 2 years now. Finds and kills what norton and macafee miss, I have first hand experience. AVG and Microsoft's anti spyware are a powerful combination.
People who write, or propagate, this trash should be flogged in public. And triple fined for lost time & damages.
This one looks like a money oriented enterprise!
People who write, or propagate, this trash should be flogged in public. And triple fined for lost time & damages.
More from Beta News:
'Really Bad' Exploit Threatens Windows
By Nate Mook, BetaNews
December 28, 2005, 1:30 PM
A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.
WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.
Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.
"We have a number of sites that we have found with this exploit. Different sites download different spyware. We only had a handful of websites using this new exploit but now we are seeing many more using this to install bad stuff. These image files can be modified very easily to download any malware or virus," said Alex Eckelberry, CEO of Sunbelt Software.
"I hit one site with a fully patched XP system last night and it was pretty intense -- it went right through and infected my machine."
F-Secure's Mika Pehkonen warned that, "Right now, fully patched Windows XP SP2 machines are vulnerable, with no known patch." The company is detecting the offending WMF files as W32/PFV-Exploit.A, .B and .C.
"Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file," Pehkonen added.
Microsoft has been notified of the issue and it could opt to issue an emergency patch, apart from its standard Patch Tuesday security bulletins. "We expect Microsoft to issue a patch on this as soon as they can," says F-Secure.
Sunbelt's Eckelberry echoes that sentiment: "Folks, I've seen it with my own eyes and this is a really bad exploit. Be careful out there."
I was thinking more along the lines of drawing and quartering and then mincing them into half inch cubes.
Are you talking about Microsoft programmers or the virus writers ?
This one is a really nasty one. One could get infected by just visiting a website with .WMF files.
How about including Microsoft management?
"'m beginning to think that the best option for most people would be a dual-boot system with Windows and Linux. Run Windows for the gaming and the applications that aren't available on Linux and run Linux for internet browsing, e-mail, etc."
I'm running Linux, and Windows XP Pro in VMWare. No web surfing in Windows - office, etc. only. All data is saved to a Samba share on Linux. If Windows takes a dump, I replace the VMware image I'm using with a fresh copy.
ping
Suggestions to change it to?
I can find the file type and all but don't comprehend the extended information that's displayed under "Advanced" tab where it's set to open with, etc.
I have Norton AV 2006 and have it selected to disable all ActiveX and Java. Can't see some content on the internet but that's the least of my worries.
When I NEED to interact with a TRUSTED, knowntobereliable site, I modify as necessary, but for general internet use, everyone should just disable those functions. And use "High" Internet security setting, AND use a few other trusted, reliable programs like Spybot Search & Destroy (which blocks a lot of spyware and malware and hacking attempts and will actually close down your browser if anything very terrible attempts to correspond)...
Most people are just far too available on the internet and that's why they have so many of these bugs. And their bugs become bugs for everyone else, so it's important for everyone to try to take control over security on their desktops.
Better yet, save the five hundred and d/l a copy of Mepis Linux or Kubuntu. Both are idiot proof to install on every machine I have tried and easy enough to run that my technophobe wife has no problems at all with them. She now prefers linux to windows.
What if you turn off your spyware detection alert?
That's good advice, on the Internet zone I always keep Javascript/ActiveX disabled, not only does it help protect users somewhat against exploits but you don't get popups either.
But this is a different exploit.....I don't think that helps with this one!
From Cicero's posting # 38 above......and see Company Man posting at #25.
***********************************************
A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.
WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.
Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
