Encountered WMF Vulnerability

  • Thread starter Thread starter Jack
  • Start date Start date
J

Jack

XPHome SP2, fully patched. Opened a picture link, it flashed up my download
manager trying to download the file eid6.wmf, which shut before I could
close it and flashed open the picture and fax viewer which I closed and
disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.
 
Jack said:
XPHome SP2, fully patched. Opened a picture link, it flashed up my
download manager trying to download the file eid6.wmf, which shut
before I could close it and flashed open the picture and fax viewer
which I closed and disconnected from the internet. The following new
process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be
related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could
not be moved and disappeared over a reboot. Then used SR to restore
to a point prior. Doesn't seem as if there is any obvious residual,
but does anyone know anything esle I should do or look for. I had not
unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.
Click to expand...

What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups courtesy of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
 
From: "Jack" <[email protected]>

| XPHome SP2, fully patched. Opened a picture link, it flashed up my download
| manager trying to download the file eid6.wmf, which shut before I could
| close it and flashed open the picture and fax viewer which I closed and
| disconnected from the internet. The following new process was running:
|
| "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
| C:\Documents and Settings\%username%\Local Settings\Temporary Internet
| Files\Content.IE5\WTABCDEZ\eid6[1].wmf
|
| Closed it and cleaned the IE cache and rebooted and it didn't restart.
| Following files were created around this time and may or may not be related:
|
| C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
|
| C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
|
| C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
|
| C:\WINDOWS\system32\CatRoot2\tmp.edb
|
| I removed the prefetch files, the catroot2 file was in use and could not be
| moved and disappeared over a reboot. Then used SR to restore to a point
| prior. Doesn't seem as if there is any obvious residual, but does anyone
| know anything esle I should do or look for. I had not unregistered
| shimgvw.dll or applied Ilfak Guilfanov's temp patch:
|
| http://www.grc.com/sn/notes-020.htm
|
| Thanks.
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
MAP said:
Jack said:
XPHome SP2, fully patched. Opened a picture link, it flashed up my
download manager trying to download the file eid6.wmf, which shut
before I could close it and flashed open the picture and fax viewer
which I closed and disconnected from the internet. The following new
process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be
related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could
not be moved and disappeared over a reboot. Then used SR to restore
to a point prior. Doesn't seem as if there is any obvious residual,
but does anyone know anything esle I should do or look for. I had not
unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.
Click to expand...

What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days
free
it will also detect the wmf vulnerability if your system is still
infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups courtesy
of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
Click to expand...


Thanks for your response. I use AVG with most recent def update and
a-squared updated with detection
for the WMF exploit, scans of both for my entire system show no infection. I
think the initial core malware file was not entirely downloaded and cleaning
the cache and the quick disconnect saved me :)
 
Thanks for your response. I use AVG with most recent def update and
a-squared updated with detection
for the WMF exploit, scans of both for my entire system show no
infection. I think the initial core malware file was not entirely
downloaded and cleaning the cache and the quick disconnect saved me :)
Click to expand...

I strongly urge you to replace your AV program!
Use NOD32 or Kaspersky, any decent av software would have stopped the
download as it was happening and give you a warning to terminate it, thus
preventing an infection in the first place.
 
From: "Jack" <[email protected]>

|
| Thanks for your response. I use AVG with most recent def update and
| a-squared updated with detection
| for the WMF exploit, scans of both for my entire system show no infection. I
| think the initial core malware file was not entirely downloaded and cleaning
| the cache and the quick disconnect saved me :)
|

It has been determined that a variant of the Exploit-WMF is causing the installation of a
variant of the Backdoor.Haxdoor Trojan which uses RootKit technology.

Download HiJack This! (HJT).
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT Log file and Copy the section (an ONLY that section) that is labeled "O23 -
Service:" and paste all the lines starting "O23 - Service:" in your reply.
 
Have you seen this from eWeek? Ewido doesn't rank very highly here. In fact,
it is dismal! This is from a few days ago, when the tests were being
performed.


AV-Test, which tests anti-malware products, has been tracking the situation
closely and has, so far, analyzed 73 variants of malicious WMF files.
Products from the following companies have identified all 73:

a.. Alwil Software (Avast)
b.. Softwin (BitDefender)
c.. ClamAV
d.. F-Secure Inc.
e.. Fortinet Inc.
f.. McAfee Inc.
g.. ESET (Nod32)
h.. Panda Software
i.. Sophos Plc
j.. Symantec Corp.
k.. Trend Micro Inc.
l.. VirusBuster

These products detected fewer variants:
a.. 62 - eTrust-VET
b.. 62 - QuickHeal
c.. 61 - AntiVir
d.. 61 - Dr Web
e.. 61 - Kaspersky
f.. 60 - AVG
g.. 19 - Command
h.. 19 - F-Prot
i.. 11 - Ewido
j.. 7 - eSafe
k.. 7 - eTrust-INO
l.. 6 - Ikarus
m.. 6 - VBA32
n.. 0 - Norman


The difference for the more effective products is likely to be heuristic
detection, tracking the threat by identifying the basic techniques of the
exploit, rather than looking for specific patterns for specific exploits.


--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

MAP said:
Jack said:
XPHome SP2, fully patched. Opened a picture link, it flashed up my
download manager trying to download the file eid6.wmf, which shut
before I could close it and flashed open the picture and fax viewer
which I closed and disconnected from the internet. The following new
process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be
related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could
not be moved and disappeared over a reboot. Then used SR to restore
to a point prior. Doesn't seem as if there is any obvious residual,
but does anyone know anything esle I should do or look for. I had not
unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.
Click to expand...

What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days
free
it will also detect the wmf vulnerability if your system is still
infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups courtesy
of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
Click to expand...
 
Thanks for the info!

--
Mike Pawlak



Richard said:
Have you seen this from eWeek? Ewido doesn't rank very highly here.
In fact, it is dismal! This is from a few days ago, when the tests
were being performed.


AV-Test, which tests anti-malware products, has been tracking the
situation closely and has, so far, analyzed 73 variants of malicious
WMF files. Products from the following companies have identified all
73:

a.. Alwil Software (Avast)
b.. Softwin (BitDefender)
c.. ClamAV
d.. F-Secure Inc.
e.. Fortinet Inc.
f.. McAfee Inc.
g.. ESET (Nod32)
h.. Panda Software
i.. Sophos Plc
j.. Symantec Corp.
k.. Trend Micro Inc.
l.. VirusBuster

These products detected fewer variants:
a.. 62 - eTrust-VET
b.. 62 - QuickHeal
c.. 61 - AntiVir
d.. 61 - Dr Web
e.. 61 - Kaspersky
f.. 60 - AVG
g.. 19 - Command
h.. 19 - F-Prot
i.. 11 - Ewido
j.. 7 - eSafe
k.. 7 - eTrust-INO
l.. 6 - Ikarus
m.. 6 - VBA32
n.. 0 - Norman


The difference for the more effective products is likely to be
heuristic detection, tracking the threat by identifying the basic
techniques of the exploit, rather than looking for specific patterns
for specific exploits.



MAP said:
Jack said:
XPHome SP2, fully patched. Opened a picture link, it flashed up my
download manager trying to download the file eid6.wmf, which shut
before I could close it and flashed open the picture and fax viewer
which I closed and disconnected from the internet. The following new
process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary
Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't
restart. Following files were created around this time and may or
may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could
not be moved and disappeared over a reboot. Then used SR to restore
to a point prior. Doesn't seem as if there is any obvious residual,
but does anyone know anything esle I should do or look for. I had
not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp
patch:

http://www.grc.com/sn/notes-020.htm

Thanks.
Click to expand...

What Anti-virus program do you use? Most can already detect this
exploit. Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can
download and install trojans and/or malware I suggest that you try
Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still
infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups
courtesy of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
Click to expand...
Click to expand...
 
On Sun, 1 Jan 2006 20:56:06 -0500, "Richard Urban"

Sorry to leave this un-trimmed, but there's nothing redundant!
AV-Test, which tests anti-malware products, has been tracking the situation
closely and has, so far, analyzed 73 variants of malicious WMF files.
Products from the following companies have identified all 73:
Click to expand...
a.. Alwil Software (Avast)
b.. Softwin (BitDefender)
c.. ClamAV
d.. F-Secure Inc.
e.. Fortinet Inc.
f.. McAfee Inc.
g.. ESET (Nod32)
h.. Panda Software
i.. Sophos Plc
j.. Symantec Corp.
k.. Trend Micro Inc.
l.. VirusBuster
Click to expand...
These products detected fewer variants:
a.. 62 - eTrust-VET
b.. 62 - QuickHeal
c.. 61 - AntiVir
d.. 61 - Dr Web
e.. 61 - Kaspersky
f.. 60 - AVG
g.. 19 - Command
h.. 19 - F-Prot
i.. 11 - Ewido
j.. 7 - eSafe
k.. 7 - eTrust-INO
l.. 6 - Ikarus
m.. 6 - VBA32
n.. 0 - Norman
Click to expand...
The difference for the more effective products is likely to be heuristic
detection, tracking the threat by identifying the basic techniques of the
exploit, rather than looking for specific patterns for specific exploits.
Click to expand...

Well, those who believe in throwing money at one "good" av product may
be in a YMMV situation, as Kaspersky (the usual fundi's favorite)
detects only one more malware than AVG (the freebie favorite). In
fact, the results are quite different to what one might have expected,
with Avast, ClamAV and VirusBuster (?) doing so well and Norman,
F-Prot, eSafe/eTrust and Kaspersky doing so badly.

It's also interesting to see F-Secure doing so much better than
Kaspersky and F-Prot, who are the two main engines it uses.

So this favors the "use multiple scanners" approach, as opposed to
"spend money on one good scanner" - except that the nature of this
threat really requires on-access protection, whereas "use multiple
scanners" is best done as one resident av backed by multiple on-demand
scanners (one of which would be the free BitDefender).

So far, defenses and resources have included:

1) An unofficial patch

This is code that injects into the at-risk process, to capture
attempts to access the defective code. One wonders if this will crash
into resident av products that try the same approach?

2) Un-registering a relevant .DLL

3) Deleting or renaming away a relevant .DLL

This is complicated by Windows File Protection in XP and WinME, though
the latter can be managed as per...

http://cquirke.mvps.org/9x/sr-sfp.htm

It certainly seems the best approach for Win95/98, for which no patch
is expected to be forthcoming from MS.

4) Testing the system to see if it is vulnerable

The vulnerability scanner is from the smae folks who came up with the
unofficial patch; sorry no URL to hand.

5) Killing the file association for .WMF files

This should work, but doesn't, because the OS is badly (unsafely)
designed to interpret WMF content as WMF even when it is found in
files that should not contain it, i.e. have file name extensions that
imply the file is some other type.

This applies not only where it might be inevitable, such as embedded
material within a Word document, but in stand-alone .JPG etc. as well.
This management also does not address risks from "services" that grope
material in the background, such as the indexing service.

There are two big "thou shalt not" lessons in there, but I fear MS
won't learn from them, and will continue creating even greater risks
from underfootware file groping and dangerous management of material
that is mis-represented at the file name extension level.

6) Using XP SP2 DEP with DEP-capable processor

This can often catch this sort of raw code exploit, if it blocks the
code on the basis that it is within what is supposed to be data.
Whether it will always block every possible exploit of this defect is
another matter; maybe, maybe not.

7) In av we trust

Well, eventually the av may catch this stuff reliably, and then it
becomes a matter of whether all possible material routes are
intercepted by the resident av. Could bring "email scanning" back
into fashion, for example, if material embedded within an email
"message" doesn't go through an opportunity to trigger a scan when the
graphic is created as a temp file.

8) Fiddling with user account permissions

May help a bit, but not even MS is claiming it's a reliable,
bullet-proof fix. It's down there with "don't browse dodgy sites" and
"don't open email from someone you don't know".

Well, no; it's far more rational and useful than "don't open email
from someone you don't know" - that really is a pretty useless
approach, given that malware usually arrives from someone you know **,
and by the time the embedded images are displayed in the (pre-)view,
you are sunk. Viewing email as plain text would be a better fix.

** Specifically, a PC that has your address stored on it


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
 
cquirke said:
Well, those who believe in throwing money at one "good" av product may
be in a YMMV situation, as Kaspersky (the usual fundi's favorite)
detects only one more malware than AVG (the freebie favorite). In
fact, the results are quite different to what one might have expected,
with Avast, ClamAV and VirusBuster (?) doing so well and Norman,
F-Prot, eSafe/eTrust and Kaspersky doing so badly.

It's also interesting to see F-Secure doing so much better than
Kaspersky and F-Prot, who are the two main engines it uses.

So this favors the "use multiple scanners" approach, as opposed to
"spend money on one good scanner" - except that the nature of this
threat really requires on-access protection, whereas "use multiple
scanners" is best done as one resident av backed by multiple on-demand
scanners (one of which would be the free BitDefender).

So far, defenses and resources have included:

1) An unofficial patch

This is code that injects into the at-risk process, to capture
attempts to access the defective code. One wonders if this will crash
into resident av products that try the same approach?

2) Un-registering a relevant .DLL

3) Deleting or renaming away a relevant .DLL

This is complicated by Windows File Protection in XP and WinME, though
the latter can be managed as per...

http://cquirke.mvps.org/9x/sr-sfp.htm

It certainly seems the best approach for Win95/98, for which no patch
is expected to be forthcoming from MS.

4) Testing the system to see if it is vulnerable

The vulnerability scanner is from the smae folks who came up with the
unofficial patch; sorry no URL to hand.

5) Killing the file association for .WMF files

This should work, but doesn't, because the OS is badly (unsafely)
designed to interpret WMF content as WMF even when it is found in
files that should not contain it, i.e. have file name extensions that
imply the file is some other type.

This applies not only where it might be inevitable, such as embedded
material within a Word document, but in stand-alone .JPG etc. as well.
This management also does not address risks from "services" that grope
material in the background, such as the indexing service.

There are two big "thou shalt not" lessons in there, but I fear MS
won't learn from them, and will continue creating even greater risks
from underfootware file groping and dangerous management of material
that is mis-represented at the file name extension level.

6) Using XP SP2 DEP with DEP-capable processor

This can often catch this sort of raw code exploit, if it blocks the
code on the basis that it is within what is supposed to be data.
Whether it will always block every possible exploit of this defect is
another matter; maybe, maybe not.

7) In av we trust

Well, eventually the av may catch this stuff reliably, and then it
becomes a matter of whether all possible material routes are
intercepted by the resident av. Could bring "email scanning" back
into fashion, for example, if material embedded within an email
"message" doesn't go through an opportunity to trigger a scan when the
graphic is created as a temp file.

8) Fiddling with user account permissions

May help a bit, but not even MS is claiming it's a reliable,
bullet-proof fix. It's down there with "don't browse dodgy sites" and
"don't open email from someone you don't know".

Well, no; it's far more rational and useful than "don't open email
from someone you don't know" - that really is a pretty useless
approach, given that malware usually arrives from someone you know **,
and by the time the embedded images are displayed in the (pre-)view,
you are sunk. Viewing email as plain text would be a better fix.

** Specifically, a PC that has your address stored on it



Don't pay malware vendors - boycott Sony
Click to expand...

I like your post, but one small, but highly revevant item remains, their are
many
more threats out their than the wmf exploit so one should not choose their
av
software solely on this one item.
 
cquirke (MVP Windows shell/user) wrote:
Click to expand...
I like your post, but one small, but highly revevant item remains, their are
many more threats out their than the wmf exploit so one should not
choose their av software solely on this one item.
Click to expand...

Sure - in fact, the av shoudln't be the primary defense in such cases,
it's merely the goalie of last resort. On Win9x, I'd kill off the
relevant code engine; on XP SP2 I might use DEP as my primary
blockage, and behind these I'd use the two approved fixes, being
unregistering a .DLL and running the 3rd-party patch.

If the OS wasn't so badly designed, killing the .WMF association would
be all you'd have to do.


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
 
From: "cquirke (MVP Windows shell/user)" <[email protected]>

| On Mon, 2 Jan 2006 08:36:48 -0500, "MAP"|
| Sure - in fact, the av shoudln't be the primary defense in such cases,
| it's merely the goalie of last resort. On Win9x, I'd kill off the
| relevant code engine; on XP SP2 I might use DEP as my primary
| blockage, and behind these I'd use the two approved fixes, being
| unregistering a .DLL and running the 3rd-party patch.
|
| If the OS wasn't so badly designed, killing the .WMF association would
| be all you'd have to do.
|

It has been stated by Robear Dyerm, quoting Microsoft, that DEP has no effectiveness with
the Exploit-WMF.
 
David H. Lipman said:
From: "Jack" <[email protected]>

|
| Thanks for your response. I use AVG with most recent def update and
| a-squared updated with detection
| for the WMF exploit, scans of both for my entire system show no
infection. I
| think the initial core malware file was not entirely downloaded and
cleaning
| the cache and the quick disconnect saved me :)
|

It has been determined that a variant of the Exploit-WMF is causing the
installation of a
variant of the Backdoor.Haxdoor Trojan which uses RootKit technology.

Download HiJack This! (HJT).
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT Log file and Copy the section (an ONLY that section) that is
labeled "O23 -
Service:" and paste all the lines starting "O23 - Service:" in your reply.
Click to expand...

Thanks for this. I already had hijackthis installed and no new NT services
show up, I also downloaded sysinternals rootkit revealer and it showed no
discrepancies. Thanks all.
 
On Mon, 2 Jan 2006 13:11:34 -0500, "David H. Lipman"
It has been stated by Robear Dyerm, quoting Microsoft, that DEP has no
effectiveness with the Exploit-WMF.
Click to expand...

That's at variance with what I'd heard, which implied that software
DEP should not be expected to be effective. URL?


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
 
From: "cquirke (MVP Windows shell/user)" <[email protected]>

| On Mon, 2 Jan 2006 13:11:34 -0500, "David H. Lipman"
||
| That's at variance with what I'd heard, which implied that software
| DEP should not be expected to be effective. URL?
|
http://www.microsoft.com/technet/security/advisory/912840.mspx

Choose "Frequently Asked Questions"

Q: I have DEP enabled on my system, does this help mitigate the vulnerability?

A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.
 
From: "cquirke (MVP Windows shell/user)" <[email protected]>
| On Mon, 2 Jan 2006 13:11:34 -0500, "David H. Lipman"
Click to expand...
| That's at variance with what I'd heard, which implied that software
| DEP should not be expected to be effective. URL?

Q: I have DEP enabled on my system, does this help mitigate the vulnerability?

A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.
Click to expand...

That's what I thought; hardware DEP is required to be any use, and if
that is present, it's expected to block at least the current crop of
attacks. What isn't clear is whether all possible methods of
exploiting the defect will always be blocked by hardware DEP.


-------------------- ----- ---- --- -- - - - -
Click to expand...
Tip Of The Day:
To disable the 'Tip of the Day' feature...
 
Ilfak's hotfix for the WMF vulnerability can be downloaded from any
the following URLs:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe

The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

MSI repackages can be downloaded here:

http://accentconsulting.com/wmf.shtml
by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)

http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

The WMF vulnerability checker can be downloaded from the following
URLs:

http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
http://www.antisource.com/download/wmf_checker_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe

The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

Note that the fix is not applicable to Win 9X/ME

Art

http://home.epix.net/~artnpeg
 
Back
Top