It took the genius of Bill Gates to design an os that allows worms to be resident in viewable images. As I recall, Windows had the same problem with true jpeg files once.
"When in doubt, execute it."
John
To All,
Last night, a very dangerous computer worm was released on the internet. It is carried on Windows Metafile images and automatically executes with no user interaction. With Microsoft Explorer or Outlook, you are automatically infected if you recieve infected email or view a site with the worm. The problem is Windows WMF files have the capability to execute external code. This is a virus writer's dream. He can do anything he wants.
The structure of the worm means it will be difficult or impossible to detect by antivirus programs, and it may be extremely difficult or impossible to remove from your computer.
Microsoft has no patch at the moment, and the procedure they currently recommend to reduce the hazard of infection may not work. Here's more info:
------------------------------------------------------------------
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.
------------------------------------------------------------------
This may be the worst worm that anyone could possibly invent. Here's a portion of a summary by a Slashdot reader:
------------------------------------------------------------------
It's worse than that(Score:1, Insightful) by Anonymous Coward on Sunday January 01, @01:11PM (#14374914)
[...]This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...)
[...]I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security, and anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*.
For ten years I've been waiting for Microsoft's luck to run out.
This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.
url:
------------------------------------------------------------------
Other sites confirm the serious nature of the problem:
------------------------------------------------------------------
Re: WMF Vulnerability leads to compromised computers
*** ALL USES OF WINDOWS, PLEASE READ BELOW. ***There is a very major security problem with Windows, all variants back to Windows 98.
All systems are at risk. Many are already infected. There are few options for an effective defense.
See our web page on this issue:
Greetings,
This is an urgent advisory of a real-life threat to all Windows computers.
The Windows Metafile Format (*.WMF) image format, developed by Microsoft, has been shown to have a critical flaw that allows ALL VARIANTS of Windows computers after and including Windows 98 to be taken over by criminals SIMPLY BY VIEWING images on a web page or images contained in Email- Including preview.
The WMF vulnerability is not a virus in itself- it is, instead, known as an "Exploit", or a pathway that a Virus (or spyware, or any number of malware variants) can use to be inserted into a computer. Unfortunately, the bad guys found this hole before the "white hats" got involved, so this problem is already showing up on user's computers.
This is a SEVERE problem, that is already being exploited for commercial and criminal gain. The spyware program "Winhound" is the most common, and prominent, example using this security hole, but many other programs have been found that are taking advantage of it. Many of these programs use stealth techniques to hide on your PC, and record keystrokes, logins, credit card, and all sorts of other information of interest to criminal enterprises.
Other commercial programs using this security hole include Winfixer and AVGold. There will probably be many more
Although Winhound is a very busy, obvious, and obnoxious infestation, it is not the worst- the worst infestation is that which you do not know about. There is no defense currently available for this problem, and fully-patched systems are being infected. No current antivirus software is defending against this threat. As there is a direct financial incentive, the number and variety of softwares using this security flaw are expanding exponentially in number.
This has the capacity of being the single greatest security threat ever discovered. The number of machines that are vulnerable include every single Windows computer in the world. There is currently no organized defense. The number and variety of attacks are quite large, and they are not being addressed at this time by security products.
The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files will execute just fine if they are called *.gif, *.jpg, *.bmp, and other names! ANY GRAPHIC FILE can conceal the infection.
url:
------------------------------------------------------------------
Everyone recommends to stop using the Microsoft Explorer browser and switch to Firefox. Firefox is still vulnerable, but at least it requires you go through a user dialog to execute the worm. Here is the Firefox url:
I use Opera 8.51, but I haven't found if it is vulnerable.
Now's the time to back up all your critical files on a separate computer and keep it away from the web.
Best Wishes and Good Luck to All.
Mike Monett
[...]
Update: Opera is not vulnerable. You have to work hard to get infected.
Here is more information from Rijk van Geijtenbeek in the opera.general newsgroup:
"Opera cannot display WMF files natively, so it is not vulnerable in itself. With the default configuration Opera opens the download dialog for such files. If you click 'Open' and the default handler is the 'MS Picture and fax viewer', you can apparently be infected by malicious WMF files. So treat WMF files with the same caution as EXE and BAT etc files, I'd say. And don't change Opera's settings to directly open such files..."
Go Opera! Beats the pants off MSIE and Firefox.
Mike Monett
Wasn't there a rumor that M$ had back doors for govm't snoops ??
Maybe it wasn't a rumor after all.
donald
A patch for NT-based systems [1] http://66.102.7.104/search?q=cache:G_h4wrg3BDYJ:
I'm sure Gates is one of the main sources of the mindset that generates crap like this, but I really don't think he's done any serious programming since Microsoft Basic (the only _good_ thing to originate in Microsoft, by the way). He bought DOS from a Real Programmer, and since, he's been a corporate bigwig.
Yeah, he may have been in on toplevel design and corporate design goals, but...
John Perry
I just had a great idea that I hearby make public domain:
Someone could write a *.WMF worm that automatically downloads and installs Linux on all the computers that it can infect.
-- -- kensmith@rahul.net forging knowledge
According to the CERT advisory, a wmf file can have many extensions:
------------------------------------------------------------------
"Please note that Windows Metafile data may be saved with an extension other than WMF. A file with any extension that is associated with Windows Picture and Fax Viewer can be used to exploit this vulnerability. By default, Windows Picture and Fax Viewer is associated with the following file extensions:"
"BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF"
------------------------------------------------------------------
The IM worm that was released yesterday was "http://[snip]/xmas-2006 FUNNY.jpg".
So we can't tell if an image file is safe by looking at the extension.
Pure chaos.
Mike Monett
"Mike Monett" schreef in bericht news: snipped-for-privacy@spammotel.com...
Hahahahaha.....
-- Thanks, Frank. (remove 'q' and '.invalid' when replying by email)
http://66.102.7.104/search?q=cache:G_h4wrg3BDYJ:
There is a vulnerability checker at
Several people report their results on Win98. Apparently Win98 shows as being vulnerable, but two people running Win98SE say their system reports not vulnerable.
I am running Win98SE with the Final Update. The test report says it is not vulnerable. A brief look at the source indicates it may not be able to find the entry points in the Win98SE version of gdi32.dll.
Wishful thinking says maybe the virus writers could have the same problem with Win98SE, and anyway they will be going after w2k and xp systems. Somehow that doesn't make me feel better.
The author emphasizes he checks only one vulnerability and there may be more. So it is not safe to assume that Win98SE or later OS's are invulnerable to this problem even if the temporary patch is applied.
This is a very serious problem. Watch the internet melt tomorrow when everyone comes back from XMas vacation.
Mike Monett
Most of us don't visit malicious web pages. And hopefully by now most of us have our email program set not to display email links or images. Wait, I don't know, is that feature available yet in Microsoft's Outlook and Outlook Express?
Hmm, wait, what about web-based email programs, do they let you set a default to preview the contents of a spam email without showing the embedded images?
--
Thanks,
- Win
It might only takes an external graphics ad on an otherwise "respectable" site.
-- John Devereux
It's easy to redirect you there.
I've just been looking and can't find anything relevant to turn on/off.
Dunno mate. Good luck. Put a condom on your PC ! ;-)
Graham
Outlook Express has that choice. I read my email as plain text.
I suppose some folks may catch this new virus. But if the internet is going to melt down tomorrow, I'd expect to hear more about it, other than a worried post from Mike Monett.
-- Thanks, Frank. (remove 'q' and '.invalid' when replying by email)
I saw that option too. I didn't reckon it was related to the preview pane though.
My Windows is fully patched, so I may not have the vulnerability in OE anyway.
It has to start somewhere. I was initially sceptical but investigated it. As time passed I saw that the alerts were increasing in severity.
This is a real one.
I've finally installed Opera ( after years of my IT friends saying I should ) as my default browser. It's better than IE anyway ! Page rendering is blisteringly fast. It is essentialy unaffected by this current issue. I recommend it.
" Opera 8.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Not critical "
Graham
Yes. But the keyword is "respectable" - So, I'd say even if you install Ilfak Guilfanov's WMF-Exploit patch (on W2000 sr4 and XP sr2 systems only, SFAIK) - I have done so - be careful to only visit *very* safe well-known websites.
Ilfak's patch blocks WMF files from executing any internal code they might carry (this was a MS Windows design feature intended to implement a "SETABORT escape sequence," but able to do more).
Once Microsoft eventually offers a fix, and it's installed, and after a few days (weeks?) multiple ALL CLEARs have been issued, Ilfak's patch can be removed (using Add/Remove Programs). Then we can begin random web-exploring once more. :-) Sheesh!
--
Thanks,
- Win
I would rather suggest using another browser (I use firefox), at least for your general use. It has been months since I had to fire up IE, and then it was just to check if some web site malfunction was browser related or not.
-- John Devereux
I dunno, some sites I read say the test fails to properly see the vulnerability on Win98. Others point out the WMF hole is valid back to Windows 3.0 So I'd be very careful.
Nice recommendation.
--
Thanks,
- Win
This event motivated me to finally get round to installing the Opera browser
The last time I was impressed by a browser upgrade ( from Mosaic ! ) was when I was downloading beta versions of Netscape 2 ! Full marks to Opera.
Graham
It should be illegal to use false extensions, but it happens all the time.
The browser doesn't care about extensions, it reads a file header which tells it what kind of file it is. When Opera sees a wmf file it asks the user what to do, download it, show it with windows built-in system (dangerous), or ignore it. Opera does not execute/open it unless specifically told so. Opera is not fooled by extensions because it ignores them and trusts the file header, which says it is a wmf file.
Use a partition saving program, like norton ghost or the freeware "Partition Saving"
Make a disk image of the C: partition, so you can restore your operating system in the shape it had a month ago. Don't store data on C:, only the operating system and the few programs that need to be installed in windows. Keep all data on other partitions and back them up. I have two physical hard disks, and often make backups of the important folder systems on the second hd. Once a year I burn the most important data to CD.
Then you don't have to worry much about viruses. Whatever happens you can quickly restore your system. I don't waste processor power on antivirus programs running in the background, I know I can get my system up and running again no matter if it is a virus or a technical fault.
I also use this disk imaging software because I install a lot of programs and try them, so it is good to be able to return to a clean and fast system.
Opera is definitely the best browser, and it is so customizable that you can set it up exactly as you like it. Download and install a bunch of skins, so you can switch quickly between them.
-- Roger J.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.