[ThatHideousStrength]

http://forums.somethingawful.com/sho...readid=1759903

turn off your images

[Pope John]

Quote:

WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)


WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.




WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. Here's a video of what this version is doing: http://www.websensesecuritylabs.com...s/wmf-movie.wmv (thanks Merijin).



For further technical information please see the SH/SC thread - http://forums.somethingawful.com/sh...hreadid=1759573




WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the definitions right away after installing - they auto-update but you want to be sure you have the latest. (Your goal is to have an antivirus software with a realtime scanner that detects the exploit itself, and not just the payload that it drops. NOD32 does this, at least for this variant.)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it outright (the bloodhound heuristics may) but Symantec's own site says that it possibly may never work fully for this due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache, before it was able to execute anything. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.
UPDATE: Most AV companies should have definitions updated by now, but check to be sure that they protect against the actual exploit itself, not just against whatever trojan the exploit drops on the computer.

2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!

3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.

4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.

5. USE COMMON SENSE - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.

6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.

7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the places this image has been popping up are: eBay XBOX auctions, porn sites, google image search, wikipedia, myspace, other forums, etc - places where people can post their own images. If you have a competent realtime scanner that can catch the image before it executes anything you are ahead of the game here.


BONUS TECHY STUFF
8. You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Messing around with this is at your own risk

9. Forum user R1CH, the Ron Jeremy of Coding, has come up with a patched file that can reportedly help eliminate the problem. The instructions are on page 3 of this thread (pages 7/8 of the SHSC thread). This is also at your own risk since it's not an official Microsoft patch. If you install this update from R1CH there is a chance that Windows Update will detect it and show you that an update is available - that update it shows you is for a previous vulnerability and will actually roll back your system to the pre-R1CH broken dll file from November 2005.



BOTTOM LINE: If you use Windows, you will not be 100% safe from this exploit until the problem in windows is patched - there is no official patch yet.

quoted for ease of mind.

Hmm, well, I hope running Opera with no images will work for me just fine. I don't want to start scheduling anymore spyware/virus scans.

Good find.

[super_Chris]

slashdot


Start / run / "REGSVR32 /U SHIMGVW.DLL" (Minus quotes) / done

I doubt anyone ever uses WMF anyway.

[ninefivezero]

Good thing my AV subscription ran out on 8/15

I need a new one, anyone got something for me besides AVG or something?

[Pope John]

sweet. good save.

Guess I'll just run cached images for the time being, then.

[Undertaker989]

web developer firefox plugin > disable images

at least untill MS fixes this.

[ivwshane]

Quote:

Originally Posted by super_Chris

slashdot


Start / run / "REGSVR32 /U SHIMGVW.DLL" (Minus quotes) / done

I doubt anyone ever uses WMF anyway.

What does that do?

[super_Chris]

Quote:

Originally Posted by ivwshane

Quote:

What does that do?

It prevents windows from rendering the WMF files. I could be wrong though, I don't know enough about this to be sure.

[Wedge_]

Unregisters the dll, so that the components it contains don't appear in the registry and can't be loaded. I assume it deals with WMF files in some way.

[XEN]

SHIMGVW.DLL is an image rendering library for windows formats.

[Chris]

Ahh. Linux. How I love thee.

[j0k3r]

Quote:

Originally Posted by super_Chris

slashdot


Start / run / "REGSVR32 /U SHIMGVW.DLL" (Minus quotes) / done

I doubt anyone ever uses WMF anyway.

Actually I would bet 90% of people use WMF. When you are browsing folders and turn on thumbnails, you are using WMF. If you open an image in Windows Picture and Fax Viewer, you are using WMF. WMF is all over the system. Unregistering the DLL will work until the exploit is patched by Microsoft.

[Pope John]

so then, how would one go about reversing the unregistration of wmf?

[Sweatervest]

Quote:

Originally Posted by Pope John

so then, how would one go about reversing the unregistration of wmf?

I'm guessing try that same thing without the /U

[Mr. Ali]

Quote:

Originally Posted by Sweatervest

Quote:

I'm guessing try that same thing without the /U

what exactly can i not do with this not running anymore?

i stopped mine and i can still browse the intarweb and watch my porn.

[hans5849]

fine, i'll install that coppy i norton i bought

[Amazing_Creep]

Quote:

Originally Posted by ninefivezero

Good thing my AV subscription ran out on 8/15

I need a new one, anyone got something for me besides AVG or something?

Avast! Antivirus... free, and more aggressive than a sexual predator out on parole on a primary school playground.

[Undertaker989]

my friend just infected my brother's computer with a nasty trojan and I suspect its via this vulnerability.

He sat in my brother's room, playing his stupid guitar, browsing tabcrawler and porno pages and sure enough, mssearchagent.exe, spyaxe.exe and all this other crap starts popping up on his desktop.

My bro and I were searching for files and reg keys trying to get rid of this nasty bug while the hippie just sat there playing his stupid little guitar not having a fucking clue about computer security at all, and more importantly, not apologizing for his fucking blunder.

put a 1 minute delayed, password protected screensaver on your PC when company is over people!!!

We still haven't removed the virus yet...my brother had to leave for other obligations, so he'll battle the virus at a later time.

[Pope John]

Quote:

Originally Posted by Sweatervest

Quote:

I'm guessing try that same thing without the /U

this apparently didn't work. And it's making it tough to look through my picture folders... I'm looking for a picture and don't know what it's called.

how do I turn the rendering back on. And also, did the fix ever come out?

[namelessentity]

Try "regsvr32 %windir%\system32\shimgvw.dll"

Also:
You can just go thru windows update, it's listed as a critical update.