NEW virus - Alert from F-Secure

[Heather]

I believe this must be the one that hit a friend of mine in the US on
Wednesday. He is a programmer and says he has not been able to get rid of
it...I see nothing about it on here. But it was in our Toronto Star this
morning.......Heather

------------------

PRESS RELEASE

For release December 30, 2005

Zero-day vulnerability in Windows still unpatched

Hundreds of millions of PCs still at risk; F-Secure able to stop the
malicious files

December 30, 2005

The zero-day vulnerability related to Windows' WMF files first reported on
December 27 is still unpatched by Microsoft. At that time Trojan downloaders
were seen to actively exploit the vulnerability with fully patched Windows
XP
SP2 machines.

Windows metafiles are image files used by popular applications such as
Microsoft Word. So far WMF exploits have been typically used to install
spyware and adware although the threat of virus and worm exploits remain.

Users can be infected simply by visiting a web site with an image file
containing the WMF exploit. Internet Explorer users are at the greatest risk
of automatic infection while Firefox and Opera browser users are prompted
with a question whether they'd like to open the WMF image or not. They get
infected too if they answer 'Yes'.

Microsoft and CERT.ORG issued bulletins on the Windows Metafile
vulnerability
and also announced a workaround while Microsoft is creating a patch.
Microsoft's confirms that the vulnerability applies to all the main versions
of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. This
means
there are hundreds of millions of vulnerable computers at the moment.

As a precaution, F-Secure recommends administrators to block access to all
WMF files at HTTP proxy and SMTP level. Consumers are also advised to enable
their Windows automatic update system, reject any emails sent to them with
WMF or other dubious-looking attachments and to ensure that their virus
protection is up to date.

F-Secure Anti-Virus detects the offending WMF files with generic detection
either as PFV-Exploit or Exploit.Win32.IMG-WMF.

Speaking about the case, Chief Research Officer at F-Secure, Mikko Hypponen
said: "So far, we've only seen this exploit being used to install spyware or
fake antispyware and antivirus software on the affected machines. I'm afraid
we'll see real viruses using this soon. We've seen 70 different versions of
malicious WMF files so far."

Hypponen pointed out that the WMF exploit has been used with a clear
criminal
motivation to install spyware and to dupe ordinary consumers into purchasing
fake security products for their computers:

Until a patch is issued, Hypponen recommended administrators to filter the
following domains at corporate firewalls:

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz

For updates on the WMF vulnerability, please check the F-Secure Viruslab
blog, which broke the news on 28th of December:
http://www.f-secure.com/weblog/

 

[Frankster]

This has been posted in other newsgroups. Trend Micro has a pattern out for
it now (3.137.00). I'm sure other AV vendors will soon, or may already.
Just FYI...

-Frank

I believe this must be the one that hit a friend of mine in the US on
Wednesday. He is a programmer and says he has not been able to get rid of
it...I see nothing about it on here. But it was in our Toronto Star this
morning.......Heather

------------------

PRESS RELEASE

For release December 30, 2005

Zero-day vulnerability in Windows still unpatched

Hundreds of millions of PCs still at risk; F-Secure able to stop the
malicious files

December 30, 2005

The zero-day vulnerability related to Windows' WMF files first reported on
December 27 is still unpatched by Microsoft. At that time Trojan
downloaders
were seen to actively exploit the vulnerability with fully patched Windows
XP
SP2 machines.

Windows metafiles are image files used by popular applications such as
Microsoft Word. So far WMF exploits have been typically used to install
spyware and adware although the threat of virus and worm exploits remain.

Users can be infected simply by visiting a web site with an image file
containing the WMF exploit. Internet Explorer users are at the greatest
risk
of automatic infection while Firefox and Opera browser users are prompted
with a question whether they'd like to open the WMF image or not. They get
infected too if they answer 'Yes'.

Microsoft and CERT.ORG issued bulletins on the Windows Metafile
vulnerability
and also announced a workaround while Microsoft is creating a patch.
Microsoft's confirms that the vulnerability applies to all the main
versions
of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. This
means
there are hundreds of millions of vulnerable computers at the moment.

As a precaution, F-Secure recommends administrators to block access to all
WMF files at HTTP proxy and SMTP level. Consumers are also advised to
enable
their Windows automatic update system, reject any emails sent to them with
WMF or other dubious-looking attachments and to ensure that their virus
protection is up to date.

F-Secure Anti-Virus detects the offending WMF files with generic detection
either as PFV-Exploit or Exploit.Win32.IMG-WMF.

Speaking about the case, Chief Research Officer at F-Secure, Mikko
Hypponen
said: "So far, we've only seen this exploit being used to install spyware
or
fake antispyware and antivirus software on the affected machines. I'm
afraid
we'll see real viruses using this soon. We've seen 70 different versions
of
malicious WMF files so far."

Hypponen pointed out that the WMF exploit has been used with a clear
criminal
motivation to install spyware and to dupe ordinary consumers into
purchasing
fake security products for their computers:

Until a patch is issued, Hypponen recommended administrators to filter the
following domains at corporate firewalls:

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz

For updates on the WMF vulnerability, please check the F-Secure Viruslab
blog, which broke the news on 28th of December:
http://www.f-secure.com/weblog/

 

[Heather]

Thanks, Frank. I saw it just now on the MS ng. Strange that F-Secure was
so long in not notifying the Press. No fix for it??

Cheers....Heather

 

[Jeffrey A. Setaro]

Thanks, Frank. I saw it just now on the MS ng. Strange that F-Secure was
so long in not notifying the Press. No fix for it??

F-Secure has had detection for this exploit since around 0830 GMT on
28 December.

There is no patch yet the only partial workaround is to un-register
the Windows Picture and Fax Viewer (Shimgvw.dll)

To do that click Start, click Run, type:

"regsvr32 -u %windir%\system32\shimgvw.dll"

(without the quotation marks), and then click OK.

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Heather]

Thanks, Jeff. I will send this to my friend in Virginia. He got it on the
evening of the 27th .....and it has to be this one. He is a programmer and
has been up till the wee hours trying to get rid of this.

Cheers....Heather

 

[Virus Guy]

Trojan downloaders were seen to actively exploit the
vulnerability with fully patched Windows XP SP2 machines.

Microsoft's confirms that the vulnerability applies to all the
main versions of Windows: Windows ME, Windows 2000, Windows XP
and Windows 2003.

Is Windows 98 vulnerable to this exploit - or is Microsoft doing the
usual thing and simply not mentioning Win98 in this context.

 

[Hoosier Daddy]

Is Windows 98 vulnerable to this exploit - or is Microsoft doing the
usual thing and simply not mentioning Win98 in this context.

The exploit(s) are probably coded for the more recent OSes. The vulnerability
exists in the dll mentioned whatever the Windows version. My 98 has no such
dll file, but that might have more to do with my not having an optical 'scanner'
or FAX machine to require the OS to support.

 

[Offbreed]

Again, a default, plain out-of-the-box installation of Win-98 is not
vulnerable to this exploit, proving yet again that Win-98 is the best
OS that Micro$lack has ever released from the standpoint of
capability, performance, simplicity, and internet security.

It *eventually* became that.

About 6 months before MS retired it.

 

[Virus Guy]

The vulnerability exists in the dll mentioned whatever the
Windows version. My 98 has no such dll file, but that might
have more to do with my not having an optical 'scanner' or
FAX machine to require the OS to support.

I take it that the dll in question is shimgvw.dll.

I also do not have it on my system, including a massive directory
where I keep legacy DLL's that I've collected over the years.

A goodle search for shimgvw.dll turns up this nugget:

http://support.microsoft.com/?kbid=272969

Where Macro$haft is crooning over shimgvw.dll as it first appears in
Windows ME:

"In Microsoft Windows Millennium Edition (Me), you can view multiple
file formats (for example, files with .bmp, .dib, .emf, .gif, .jpeg,
..png, .tif or .wmf extensions) with Image Preview, a new shell feature
in Windows Me."

I did a search for any wmf files on my system and found almost 10,000
of them - practically all of them in various office clipart
directories.

I clicked on one of them, and a program called "ACDSee" opened and
displayed the picture. Unless this software is somehow part of Office
2000 pro (or maybe part of MSDN) then I must have installed it at some
point.

Anyhow, it seems that shimgvw.dll is the real problem here, and it
appears that shimgvw.dll is normally installed on Windows ME and
above.

Again, a default, plain out-of-the-box installation of Win-98 is not
vulnerable to this exploit, proving yet again that Win-98 is the best
OS that Micro$lack has ever released from the standpoint of
capability, performance, simplicity, and internet security.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

The exploit(s) are probably coded for the more recent OSes. The
vulnerability exists in the dll mentioned whatever the Windows
version. My 98 has no such dll file, but that might have more to
do with my not having an optical 'scanner' or FAX machine to
require the OS to support.

I've seen several reports (besides yours) that 98 and 98se don't have
the exploitable dll.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

I've seen several reports (besides yours) that 98 and 98se don't
have the exploitable dll.

Heh, OTOH at least one major vendor says 98 systems are vulnerable.

<http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html>

 

[Clay]

According to:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Win 98 and 98 SE are referenced. Expand the "overview" section and
you'll see.

I clicked on one of them, and a program called "ACDSee" opened and
displayed the picture. Unless this software is somehow part of Office
2000 pro (or maybe part of MSDN) then I must have installed it at some
point.

Strange that you would not recall installing a popular image viewer
such as that (and then ponder that it might be part of Office 2000).
Not very "safe hex" like.

Anyhow, it seems that shimgvw.dll is the real problem here, and it
appears that shimgvw.dll is normally installed on Windows ME and
above.

Again, a default, plain out-of-the-box installation of Win-98 is not
vulnerable to this exploit, proving yet again that Win-98 is the best
OS that Micro$lack has ever released from the standpoint of
capability, performance, simplicity, and internet security.

Hmmm... I think a "default, plain out-of-the-box installation of
Win-98" is not very secure in and of itself. To each his own.

Oh BTW, call 1-866-727-2338 for free virus and security related
support from Microsoft. Available 24 hours a day for the US and
Canada. Really.

Happy New Year!

 

[Virus Guy]

It *eventually* became that.

About 6 months before MS retired it.

Wrong.

I've had this argument here before, and when you look back at all
updates and patches for Win-98, none have been for underlying problems
with the OS that allowed intrusion or control of the computer.

Sure, there have been plenty of updates for OE, but again none for the
OS itself - or more importantly for the OS ->AS INSTALLED BY
DEFAULT<-. This includes default shares, open ports, DCOM, etc. The
same can't be said for W2K or XP.

A default, original installation of Win-98 is NOT VULNERABLE to
intrusion or access through the internet by simply connecting it to
the internet. In this case, a default installation of Win-98 is not
even vulnerability to the problem related to Windows WMF files.

And no, the Microsoft security advisory:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Does ->not<- discuss Win-98 (even though it claims to do so).

 

[Virus Guy]

According to:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Win 98 and 98 SE are referenced. Expand the "overview" section
and you'll see.

Yes, let's see:

-----------
General Information
Overview

This advisory discusses the following software.
Related Software
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (ME)
------------

The inclusion of Win-98 in the above list is nothing but a lie. If
you expand all the sections of that advisory (FAQ, Suggested actions)
you will ->NOT<- find any reference to Windows 98.

Again, Macro$haft wants you to think that Win-98 is affected, so they
mention it in the advisory, and most users will read no further. The
absence of Win-98 in that advisory might be construed as an indication
that Win-98 is a more robust, hardened, or well-designed OS than the
crap they've been putting out in the past 5 years.

Strange that you would not recall installing a popular image
viewer such as that (and then ponder that it might be part
of Office 2000). Not very "safe hex" like.

Why strange? You can recall every piece of software you've ever
installed on your computer over the past 5-10 years, even if it was
just to perform one operation on a single file and then never use the
software again?

Why unsafe? Just because I don't remember installing a piece of
software doesn't mean it came from an un-safe or untrustworthy
source. And numerous scans by various AV software have never shown it
to be mal-ware.

Hmmm... I think a "default, plain out-of-the-box installation
of Win-98" is not very secure in and of itself. To each his
own.

Wrong.

I've had this argument here before, and when you look back at all
updates and patches for Win-98, none have been for underlying
problems with the OS that allowed intrusion or control of the
computer.

Sure, there have been plenty of updates for IE, but again none for
the OS itself - or more importantly for the OS ->AS INSTALLED BY
DEFAULT<-. This includes default shares, open ports, DCOM, etc.
The same can't be said for W2K or XP.

A default, original installation of Win-98 is NOT VULNERABLE to
intrusion or access through the internet by simply connecting it
to the internet. In this case, a default installation of Win-98
is not even vulnerability to the problem related to Windows WMF
files.

 

[me]

According to:
http://www.microsoft.com/technet/security/advisory/912840.ms
px

Win 98 and 98 SE are referenced. Expand the "overview"
section and you'll see.


Strange that you would not recall installing a popular
image viewer such as that (and then ponder that it might be
part of Office 2000). Not very "safe hex" like.


Hmmm... I think a "default, plain out-of-the-box
installation of Win-98" is not very secure in and of
itself. To each his own.

Oh BTW, call 1-866-727-2338 for free virus and security
related support from Microsoft. Available 24 hours a day
for the US and Canada. Really.

Happy New Year!

Hmm,

W98SE (ver "A") does not have shimgvw.dll.
It's a "hand-me-down" box (I don't know its full history) but
the orig. owner was an AOLer, unlikely to be removing .DLLs.

J

 

[me]

A default, original installation of Win-98 is NOT
VULNERABLE to intrusion or access through the internet by
simply connecting it to the internet. In this case, a
default installation of Win-98 is not even vulnerability to
the problem related to Windows WMF files.

And no, the Microsoft security advisory:

http://www.microsoft.com/technet/security/advisory/912840.ms
px

Does ->not<- discuss Win-98 (even though it claims to do
so).

WAG: M$ lists W98 either by mistake or as a CYA.

J

 

[Virus Guy]

Heh, OTOH at least one major vendor says 98 systems are
vulnerable.

http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html

Symantec itself (in the above link) DOES NOT IDENTIFY any affected
OS's by name.

If you look at the above page, they reference this link:

http://www.securityfocus.com/bid/16074

In that one, a laundy list of MS OS's is given. That is the "Info"
tab related to this issue.

Click on the "Exploit" tab. There you will find this link:

http://www.securityfocus.com/data/vulnerabilities/exploits/ie_xp_pfv_metafile.pm

Open that one. You will find these comments:

Windows XP/2003 Picture and Fax Viewer Metafile Overflow
This module exploits a vulnerability in the Windows Picture
and Fax Viewer found in Windows XP and 2003.

Open the "References" tab, and select this link:

http://www.kb.cert.org/vuls/id/181038

There, you will read this:

"Disabling or remapping Windows Metafile files to open a
program other than the default Windows Picture and Fax
Viewer may prevent exploitation via some attack vectors.
Microsoft has suggested taking the following steps to
disable shimgvw.dll in Microsoft Security Advisory
(912840)"

Again, the image rendering engine shimgvw.dll is fingered as the
problem. That DLL is not present in the default installation of
Win-98, nor is it present in "mature" installations of Win-98.

What this issue illustrates is that Micro$haft wants to force adoption
of it's own standards (in this case, it's WMF) and apparently 20,000
software programmers that work for Macro$lack are unable to code a
piece of software without checking variable sizes and looking for
overflow conditions. Very sloppy, and very typical of MS as it puts
product functionality ahead of security.

How many people needed this context-rendering of WMF files?

How many people are currently being infected with this exploit -
turning their computers into zombies and becoming part of someone's
bot-net? Key loggers getting installed, becoming spam relays, etc.

When historians look back on the years 2003-2006, they will conclude
that XP was a nightmare for the internet. Except some of us knew it
while it was happening.

 

[Clay]

Clay wrote:

Yes, let's see:

-----------
General Information
Overview

This advisory discusses the following software.
Related Software
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (ME)
------------

The inclusion of Win-98 in the above list is nothing but a lie. If
you expand all the sections of that advisory (FAQ, Suggested actions)
you will ->NOT<- find any reference to Windows 98.

I merely pointed out that Win98 was referenced in the advisory. I
don't pretend to fully understand the vulnerability or the OS's
affected.

Again, Macro$haft wants you to think that Win-98 is affected, so they
mention it in the advisory, and most users will read no further. The
absence of Win-98 in that advisory might be construed as an indication
that Win-98 is a more robust, hardened, or well-designed OS than the
crap they've been putting out in the past 5 years.

Interesting conclusion.

Why strange? You can recall every piece of software you've ever
installed on your computer over the past 5-10 years, even if it was
just to perform one operation on a single file and then never use the
software again?

Strange because you've got an image viewer installed with file
associations and don't realize it and then proceed to open graphics
files by association rather than from the graphics progam file menu.
And, yes I do recall every piece of software I've installed... ever.

Why unsafe? Just because I don't remember installing a piece of
software doesn't mean it came from an un-safe or untrustworthy
source. And numerous scans by various AV software have never shown it
to be mal-ware.

So you feel safe. Awesome!

Wrong.

I'm no Win 98 security expert and no offense intended, but you don't
seem to be an expert either.

I've had this argument here before, and when you look back at all
updates and patches for Win-98, none have been for underlying
problems with the OS that allowed intrusion or control of the
computer.

It's not so clear to me but again, I'm not an expert so I rely on safe
hex practices and common sense to try and stay relatively "safe".

Sure, there have been plenty of updates for IE, but again none for
the OS itself - or more importantly for the OS ->AS INSTALLED BY
DEFAULT<-. This includes default shares, open ports, DCOM, etc.
The same can't be said for W2K or XP.

Hmmm... I thought IE was integrated into the OS in Win 98. I never
liked that.

A default, original installation of Win-98 is NOT VULNERABLE to
intrusion or access through the internet by simply connecting it
to the internet. In this case, a default installation of Win-98
is not even vulnerability to the problem related to Windows WMF
files.

You may be right. I don't know, I'll wait for the expert commentary
rather than take a stand.

 

[Offbreed]

I've had this argument here before, and when you look back at all
updates and patches for Win-98, none have been for underlying
problems with the OS that allowed intrusion or control of the
computer.

Unfortunately, the default installation includes Internet Explorer and
Outlook express. So, even though the OS (or kernel) might be secure, the
default installation was not.

 

[Virus Guy]

I merely pointed out that Win98 was referenced in the advisory.

Fine - yes, it was "mentioned" in the advisory.

I'm just further pointing out how deceptive it was for MS to say that
Win-98 is "discussed" in the advisory when in fact it isin't at all.

Interesting conclusion.

There have been many such advisories put out by MS over the past
couple of years, and many of them are similary cryptic when it comes
to describing exactly how, or even if, Win-98 is vulnerable to the
exploit. And it's not because Win-98 is a legacy product - because
some advisories are very detailed about NT3.x and NT4 (which pre-date
98).

MS recognizes that 98 is still used in some parts of the world where
"adoption" of their "more advanced" OS's hasn't yet happened (or so
that is their reasoning why they extended critical update support for
98 until some point in 2006 instead of being terminated a little while
ago).

Given that extension of critical support, again I can think of no
reason why 98 is cryptically mentioned in many advisories if other
than to foster a wide (if false) belief that 98 is equally vulnerable
to these many exploits that have been discovered for W2K, XP and 2003.

Can you explain why MS would include the phrase "Windows 98 is
discussed in this advisory" and then say nothing more about it
anywhere in the advisory?

I'm no Win 98 security expert and no offense intended, but
you don't seem to be an expert either.

Since I deal quite a bit with the technical aspects of W2k and XP
where I work, I've decided to stay with W-98 for most of the desktop
machines at my office as well as at home, at my relatives where I set
up their computers, etc. I think I've done enough leg-work, reading,
etc, to know how OS's like NT/2K/XP are really designed for large
corporate customers and the use of those OS's for home or small
business situations is just plain wrong (but it's exactly what MS
wanted, security and vulnerabilities be damned).

It's not so clear to me but again, I'm not an expert so I rely
on safe hex practices

This is not about safe hex or how you use the computer. This is about
stuff that is inherent in how the OS operates. Safe Hex will not help
you in MANY exploits discovered for XP. This new one is just another
example.

It's absurd to tell people not to surf web-sites they don't trust.
How does someone know in advance if a web page has an exploit, or a
web server has been hacked, or even a DNS server has been poisoned?

If you want to extend this issue and morph it into a safe-hex issue,
then the only coherent answer is to not do any web surfing at all!
Delete your browser from your computer. That leaves you with e-mail,
and news reading (both of which are an order of magnitude safer than
web-surfing given the complexity of web browsers and the pages they
experience these days). We're a long way from simple hyper-text which
was how web pages got started.

You may be right. I don't know, I'll wait for the expert
commentary rather than take a stand.

You won't hear any such "expert" commentary about W-98 any more.
Commercial web-rags or computer magazines have long since stopped
printing articles or editorials about W-98. Their staff "experts"
were probably in high school when 98 came out. You simply won't find
any non-partisan professional commentary about the relative immunity
of W98 to modern exploits in this day and age, even though 10 to 25%
of computers connected to the internet world-wide today are probably
running Win-98.