ReptilesBlade
December 30th 05, 06:51 PM
**YOU CAN GET THIS BY LOOKING OR INTERACTING IN ANYWAY WITH AN IMAGE FILE**
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to
infect a computer. All you have to do to get infected is view a webpage
that has the image on it, or access an infected image that is on your
computer. That means the forums can be a vector for infection too.
WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that
displayes or downloads the file into the cache on the local machine. The
file could also be a WMF renamed to any other image type, or possible other
filetypes. Anything that puts the image exploit onto your computer or opens
it up in windows fax viewer or the part of windows that generates
thumbnails of WMF files is a vulnerability. This means any vector that puts
the image onto your computer (wget, browser, email, IM, etc) can
potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING
FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your
cache in most cases, but it does reduce your chances somewhat since the
image is often not displayed in the browser. But if you then interact with
the file in any way (thumbnail it, Google Desktop, hover over with the
mouse) that causes it to be handled by the windows subsystem responsible
for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS
EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows,
your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your
computer when the exploit is activated (when the file is parsed by the part
of windows with the problem). It does not do anything by itself until it is
activated. There have been several reports of trojans being downloaded,
which then download other things, other spyware, etc. Some of these are
"SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff.
For further technical information please see the SH/SC thread -
http://forums.somethingawful.com/showthread.php?s=&threadid=1759903
WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the
definitions right away after installing - they auto-update but you want to
be sure you have the latest. (Your goal is to have an antivirus software
with a realtime scanner that detects the exploit itself, and not just the
payload that it drops. NOD32 does this, at least for this variant.)
Even if you think you are safe, scan your Windows computer anyway. ClamWin
appears to catch this, but it doesn't have a realtime scanner. SAV
Corporate 10.2 does not catch it outright (the bloodhound heuristics may)
but Symantec's own site says that it possibly may never work fully for this
due to something about how the virus works. AVG, McAfee, Trend are unknowns
at this point. I have personally tested NOD32 and found that it's AMON on-
access scanner stopped the image as soon as it was saved to the cache,
before it was able to execute anything. NOTE: SCAN ALL FILES. Some AV
solutions only scan "infectable" files and do not scan image files because
the program thinks they are safe. Check for an option to scan all file
types and make sure that is enabled.
UPDATE: Most AV companies should have definitions updated by now, but check
to be sure that they protect against the actual exploit itself, not just
against whatever trojan the exploit drops on the computer.
2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser
will reduce your risk because it does not display the image. However the
image is still downloaded to your cache, and some browsers prompt you to
open the file - which you should not do!
3. TURN OFF SALR's feature that makes text links into images. If you have
that feature turned on, someone could make just a text link that displays
the infected image in your browser.
4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on
your computer.
5. USE COMMON SENSE - Don't go to links you don't trust, don't open files
you aren't expecting, including suspicious email or IM's, etc.
6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one
quickly, but you really should be up-to-date on everything else anyway.
7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the
places this image has been popping up are: eBay XBOX auctions, porn sites,
google image search, wikipedia, myspace, other forums, etc - places where
people can post their own images. If you have a competent realtime scanner
that can catch the image before it executes anything you are ahead of the
game here.
BONUS TECHY STUFF
8. You can try unhooking the part of Windows that views those image files.
To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press
OK. You will get a confirmation message. To undo this, repeat but type
regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it
only disables the image viewer itself. It doesn't prevent against viewing
the exploit image in Internet Explorer, for example. Messing around with
this is at your own risk
9. Forum user R1CH, the Ron Jeremy of Coding, has come up with a patched
file that can reportedly help eliminate the problem. The instructions are
on page 3 of this thread (pages 7/8 of the SHSC thread). This is also at
your own risk since it's not an official Microsoft patch. If you install
this update from R1CH there is a chance that Windows Update will detect it
and show you that an update is available - that update it shows you is for
a previous vulnerability and will actually roll back your system to the
pre-R1CH broken dll file from November 2005.
BOTTOM LINE: If you use Windows, you will not be 100% safe from this
exploit until the problem in windows is patched - there is no official
patch yet.
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to
infect a computer. All you have to do to get infected is view a webpage
that has the image on it, or access an infected image that is on your
computer. That means the forums can be a vector for infection too.
WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that
displayes or downloads the file into the cache on the local machine. The
file could also be a WMF renamed to any other image type, or possible other
filetypes. Anything that puts the image exploit onto your computer or opens
it up in windows fax viewer or the part of windows that generates
thumbnails of WMF files is a vulnerability. This means any vector that puts
the image onto your computer (wget, browser, email, IM, etc) can
potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING
FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your
cache in most cases, but it does reduce your chances somewhat since the
image is often not displayed in the browser. But if you then interact with
the file in any way (thumbnail it, Google Desktop, hover over with the
mouse) that causes it to be handled by the windows subsystem responsible
for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS
EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows,
your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your
computer when the exploit is activated (when the file is parsed by the part
of windows with the problem). It does not do anything by itself until it is
activated. There have been several reports of trojans being downloaded,
which then download other things, other spyware, etc. Some of these are
"SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff.
For further technical information please see the SH/SC thread -
http://forums.somethingawful.com/showthread.php?s=&threadid=1759903
WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the
definitions right away after installing - they auto-update but you want to
be sure you have the latest. (Your goal is to have an antivirus software
with a realtime scanner that detects the exploit itself, and not just the
payload that it drops. NOD32 does this, at least for this variant.)
Even if you think you are safe, scan your Windows computer anyway. ClamWin
appears to catch this, but it doesn't have a realtime scanner. SAV
Corporate 10.2 does not catch it outright (the bloodhound heuristics may)
but Symantec's own site says that it possibly may never work fully for this
due to something about how the virus works. AVG, McAfee, Trend are unknowns
at this point. I have personally tested NOD32 and found that it's AMON on-
access scanner stopped the image as soon as it was saved to the cache,
before it was able to execute anything. NOTE: SCAN ALL FILES. Some AV
solutions only scan "infectable" files and do not scan image files because
the program thinks they are safe. Check for an option to scan all file
types and make sure that is enabled.
UPDATE: Most AV companies should have definitions updated by now, but check
to be sure that they protect against the actual exploit itself, not just
against whatever trojan the exploit drops on the computer.
2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser
will reduce your risk because it does not display the image. However the
image is still downloaded to your cache, and some browsers prompt you to
open the file - which you should not do!
3. TURN OFF SALR's feature that makes text links into images. If you have
that feature turned on, someone could make just a text link that displays
the infected image in your browser.
4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on
your computer.
5. USE COMMON SENSE - Don't go to links you don't trust, don't open files
you aren't expecting, including suspicious email or IM's, etc.
6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one
quickly, but you really should be up-to-date on everything else anyway.
7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the
places this image has been popping up are: eBay XBOX auctions, porn sites,
google image search, wikipedia, myspace, other forums, etc - places where
people can post their own images. If you have a competent realtime scanner
that can catch the image before it executes anything you are ahead of the
game here.
BONUS TECHY STUFF
8. You can try unhooking the part of Windows that views those image files.
To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press
OK. You will get a confirmation message. To undo this, repeat but type
regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it
only disables the image viewer itself. It doesn't prevent against viewing
the exploit image in Internet Explorer, for example. Messing around with
this is at your own risk
9. Forum user R1CH, the Ron Jeremy of Coding, has come up with a patched
file that can reportedly help eliminate the problem. The instructions are
on page 3 of this thread (pages 7/8 of the SHSC thread). This is also at
your own risk since it's not an official Microsoft patch. If you install
this update from R1CH there is a chance that Windows Update will detect it
and show you that an update is available - that update it shows you is for
a previous vulnerability and will actually roll back your system to the
pre-R1CH broken dll file from November 2005.
BOTTOM LINE: If you use Windows, you will not be 100% safe from this
exploit until the problem in windows is patched - there is no official
patch yet.
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com