No subject

Max Kipness max at KIPNESS.COM
Tue Jan 3 15:58:19 GMT 2006


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I've been getting reports of this new vulnerability that is out now that
seems pretty hard to prevent. Has anybody dealt with this virus as of yet?
Any tips? I'm thinking about blocking all images for the time being.

Here is the info I've received:

A new vulnerability has surfaced which at this moment in time has no fix
for. It relates to how Windows renders WMF (Windows Meta Files) and it is
a new threat in that for the first time you don^Òt have to click anything
to be hit, simply viewing an image that takes advantage of the
vulnerability can execute commands on your PC, such as installing
spyware/virus code.

The vulnerability is in a core Windows rendering component, shimgvw.dll
which is called to render WMF images from any application so you can be
hit whether viewing a web page, previewing an email etc.

More information can be found at

-        http://www.microsoft.com/technet/security/advisory/912840.mspx
-        http://www.kb.cert.org/vuls/id/181038

At this time the only workaround is to disable the problem component:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has
succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
 when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with ^Óregsvr32 %windir%\system32\shimgvw.dll^Ô
(without the quotation marks).

Just blocking WMF files will not work as a the other image types could
also be used.

I will keep you informed of any updates but for now you should visit only
^Ótrusted^Ô web sites as the number of sites now using this vulnerability is
growing. Also since we use Outlook 2003 it does not download images
automatically so for now ensure do not download is configured (Tools ^Ö
Options ^Ö Security ^Ö Change Automatic Download Settings^Å)


Just wanted to make everyone aware the vulnerability has now been updated
to bypass most anti-virus programs. It is thought MS may not release a fix
for another week and so if you did not follow the instructions to
unregister shimgvw.dll you should now or another option is there is also
an ^Óunofficial^Ô fix at http://www.hexblog.com/2005/12/wmf_vuln.html which
has been tested by several 3rd party vendors and validated for use until
an official Microsoft fix is released. Once installed you need to reboot
the computer.

This vulnerability has already seen many types of attack already, for
example:

^ÓThe emails have a Subject: "Happy New Year", body: "picture of 2006" and
contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5:
DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file
opened, folder viewed, file indexed by Google Desktop), it executes and
downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt)
from www[dot]ritztours.com. Admins, filter this domain at your firewalls^Ô

Thanks,
Max

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list