A Very Dangerous Worm in Windows Metafile Images (WMF)

I believe the MS Office clip art file format also has the option of including macro viruses, though I never heard of any real exploits. Windows font files can also have viruses, since they are at heart dll's.

Or are you hearing echoes of the same?

The real one, real soon now.

Ah, so it is just a big Opera spam! Clever!

If you don't mind, I'll wait until a small portion of the internet melts...

--
Thanks, Frank.
(remove 'q' and '.invalid' when replying by email)

The experts say it really doesn't matter what browser you're using, you're vulnerable if Windows is asked to open a WMF file, via any pathway. This one is said to be EXTREMELY DANGEROUS, read

or 1/3 the way down the Internet Storm Center page here,

--
 Thanks,
    - Win

I wonder where all this expertise suddenly comes from.

The only thing that running such online test proves is that there are still folks around who trust and run software just like that, on their computers that didn't show any signs of problems ;)

Now that is worth a 'Sheesh'.

I recommend installing MSDOS 2.0 before it is too late. Joerg still has copies.

--
Thanks, Frank.
(remove 'q' and '.invalid' when replying by email)

DOS 2.0 was crap.

I have DOS 5.0 ( the only ever unpatched verion of DOS - i.e one that worked out of the box ) on 5 1/4 floppies even ! and any number of versions of DOS 6.xxxxxxxxxxxxx

Graham

If someone told you a flood was coming would you wait til it was half way up the walls of your house before acting ?

Graham

It did sound dangerous, so I went to a dozen trusted security sites to see what they recommended, and after seeing each one say, don't wait, get with it NOW, I acted. And posted here. I also posted links to a few of the security sites earlier in this thread, don't trust me, trust the experts on this subject. E.g., "Trust us,"

:--|}

--
 Thanks,
    - Win

"Mike Monett" schreef in bericht news: snipped-for-privacy@spammotel.com...

Hahahahahaha.....

--
Thanks, Frank.
(remove \'q\' and \'.invalid\' when replying by email)

--
I just followed your lead.  Nice browser, and since it doesn't have
the security problem, I installed it as default.  Thanks for the
tip.

With something like this is it worth taking a risk ? I think not.

Luckily my fully patched W98SE seems to be unaffected, yet I changed browser to Opera anyway ( and didn't regret it ! ).

I also found the 'turn off preview pane' option in OE.

Go to View, Layout, and deselect 'Show preview pane'.

That fixes most of it for negligible effort. Give me a reason to *not* do it if you can !

Graham

"Knowingly" or maybe "Deliberately" lacking from that overly confident assertion; There are relatively trivial and well known ways to send your legitimate requests to any malicious web pages/content required!!

It is a design feature of IPv4 and also IPv6 that the local network segment is implicitly trusted - as is DNS - so all it takes is for ONE person on the same network segment as you to slip up (or for said person feeling the urge to flash his laptop on a WiFi LAN in the Airport lounge and bringing it inside the firewall loaded with "freebies").

The odds for that are good since "Most ..." != "All".

Doesn't matter, it's picture links that get you, and Opera will show a picture if asked to. Here's what happens, from a post on Microsoft's Windows XP Security and Administration web page,

Encountered WMF Vulnerability in Windows XP Sign in with your .NET Passport | Edit my Profile | Help Jack 12/31/2005 11:36 PM PST XPHome SP2, fully patched. Opened a picture link, it flashed up my download manager trying to download the file eid6.wmf, which shut before I could close it and flashed open the picture and fax viewer which I closed and disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart. Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be moved and disappeared over a reboot. Then used SR to restore to a point prior. Doesn't seem as if there is any obvious residual, but does anyone know anything else I should do or look for. I had not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

--
 Thanks,
    - Win

I seem to remember, when the internet was still a gleam in everyone's eyes, a "dream" of all of the computers being able to execute anything, and everyone sharing everything, and peace and harmony and parallel processing and all sorts of grand dreams.

Apparently, it turns out, some people with computers are Not Nice.

So we get executable graphics and worms. And executable documents. Sigh.

The solution is so simple apparently Uncle Billy is overlooking it - somebody should explain to him that under the GNU GPL, he could download a free Linux kernel, or even a whole distribution, and set his codemonkeys the task of writing windows-grade installers and drivers and eye candy, and sell "Microsoft Linux" for whatever the market will bear.

Totally legally.

Cheers! Rich

Aww, c'mon! Post the whole URL, with warnings, so I can go look at it - I'm running Linux, so I don't get worms. ;-P

And if a .jpg isn't a real .jpg, I'm sure The Gimp will let me know. :-)

(you can even break it up, so that the dozers can't click on it. I should be able to reassemble a munged URL. :-) )

Thanks! Rich

I use Yahoo email, and it has several things - when I open an email, I see all of the text (and full headers, which is kind of annoying, but oh well), and links to the attachments. But it's not links directly to the attachment(s), it's a link to Yahoo's virus checker, which scans the file and then goes to another page that says "virus was not detected" and lets me download the attachment.

And even then, if I had Windows running, I'd hope it would give me a save/execute/cancel dialog. With Linux, I can open anything at all - it's _hard_ to get stuff to execute on a Linux box!

I don't know if this answers your question; as far as previewing a document, I'm itching to get ahold of one of these .wmf virus files, and open it with Paint Shop Pro. I seriously doubt if PSP 4.12 has a facility to execute macros - it can't even animate an animated .gif.

So, you could download it, or possibly open it online with a dedicated graphics program, like, e.g. Paint Shop Pro. It's shareware, so here:

It's self-extracting. Download it, virus scan it, log out and log in as administrator, run it, log out as administrator and log back in as yourself, and you'll have Paint Shop Pro 4.12 installed, and can look at practically anything.

Cheers! Rich

Version 8.51 is supposed to prompt you if it finds a wmf. If you think you're viewing a pic like a jpg that should be warning enough.

Graham

Opera can be set to automatically download application/x-msmetafile and .wmf file types. I've set mine to dump any that it comes across into c:/null. As nearly as I can tell from testing here with self-made wmf files, this works correctly as a quarantine measure.

The display of wmf images by Opera can also be affected by whether the user has installed file viewers beyond the vanilla MS handlers. I use IrfanView aka IView as a general-purpose viewer and it is the registered system wmf viewer. I *do not* know whether IView passes wmf images to a lower-level system DLL for decoding, though.

Quarantine seems to be the safest route. The wmf file types are (were) very rare either as web images or in e-mail; mostly used to embed graphic images in Word and such.

--
Rich Webb   Norfolk, VA

melts...

up

I probably would, yes.

--
Thanks, Frank.
(remove 'q' and '.invalid' when replying by email)

This is a .jpg or an .wmf masquerading as a .jpg? I didn't know .jpgs could carry executable payloads! And if it's an wmf file, how come a jpg viewer works with it at all? Sheesh!!

--
 Thanks,
    - Win