Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows Graphics Rendering Engie - WMF Exploit

Notifications for Security Updates, as well as News and Information from across the web - mostly security minded.

Update Contributors: Members of the Malware Removal University.

Regular Members: Our Regular Members are invited to start and/or participate in all other topics. Join in and share the news that's important to you.

Windows Graphics Rendering Engie - WMF Exploit

Unread postby Chachazz » December 29th, 2005, 8:20 pm

Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability.

The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.

The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.

Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Source: Security Focus»

New exploit blows by fully patched Windows XP systems
Source: Sunbelt Blog»
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada
Advertisement
Register to Remove

Unread postby Chachazz » December 29th, 2005, 8:22 pm

Kaspersky Labs
December 28, 2005


Trojan programs exploiting the latest Windows vulnerability


Kaspersky Lab, a leading developer of secure content management solutions which protect against viruses, hackers and spam, has detected a range of Trojan programs which exploit the Windows Meta File vulnerability. This vulnerability is rated highly critical, and so far, no patch has been issued.

The Trojans are classified as Trojan-Downloader.Win32.Agent.acd, as all the samples detected by Kaspersky Lab come from the same family. New modifications of these programs may well appear in the near future.

The WMF vulnerability is present in computers running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003 with Service Pack 0 and Service Pack 1. The vulnerability can be exploited when viewing infected sites with Internet Explorer, Firefox (if certain other conditions are met), or when previewing *.wmf format files with Windows Explorer.

Computers will be infected by programs from the Agent.acd family if the user visits unionseek.com or iframeurl.biz. The malicious programs are downloaded to the victim machine and launched via the WMF vulnerability. Agent.acd will then download other Trojan programs to the victim machine.

To prevent infection, Kaspersky Lab strongly recommends that users should not open files with a *.wmf extension. Users should also configure their Internet Explorer security settings to 'High'.

Antivirus databases updates containing detection for Trojan-Downloader.Win32.Agent.acd have already been released. Further information is available in the Kaspersky Virus Encyclopaedia http://www.viruslist.com/en/alerts?alertid=176701669
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:26 pm

Handler's Diary December 29th 2005

* Update on Windows WMF 0-day
Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)

Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/ima ... -movie.wmv . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.

Update 23:00 UTC: The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

Source: SANS Storm Center»
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:30 pm

[quote]
WMF, day 2
Thursday, December 29, 2005
Posted by Mikko @ 08:30 GMT

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/securi ... 12840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dllâ€
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:31 pm

Analyst's Diary - WMF vulnerability
December 29, 2005 | 14:50 GMT

As I'm sure you've heard by now, attackers are taking advantage of an unpatched vulnerability which gets exploited by .wmf files.

Dozens of sites are already hosting malicious .wmf files. In addition to this, the sites are distributing so called 'anti-spyware applications' (which require the infected user to pay) and other malware, such as Trojan-Spy.Win32.Small.ee, which isn't directly related to these applications.

Naturally we've been doing some research on this vulnerability and we've come up with some interesting findings.

At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.

This shows that although HW DEP can help, it's by no means a solution.

Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.

Some people run under a limited user account (which among other things restricts NTFS rights). This may make people feel that they are protected from malware. In this case, nothing could be much further from the truth.

The attackers seem very well aware of this fact and have already released malware which will be downloaded and executed in a directory where a limited user has execution rights.

Our testing has also revealed that although Windows 2000 is not vulnerable by default, it is potentially vulnerable. If the Windows 2000 system has an image viewer which supports .wmf files installed, there's a high chance that the system will be vulnerable.

Image viewers like Irfanview and XnView rely on the vulnerable file to show .wmf files. Exploitation also successfully occurs on Windows 2000, with testing carried out on 2000/SP4 with all the latest patches.

The good thing however is that Internet Explorer will ask you (at least once) if you want to open or save the .wmf file instead of opening it by default.

WinXP Pro64 bit edition is also vulnerable. However, as all shellcode is written for IA32 processors the exploits won't work. Specific x64 shellcode needs to be written for the exploit to work. The chances of this happening (on a large scale) is slim as only a small number of users run WinXP Pro64 bit edition.

We've released heuristic detection for malicious .wmf files which exploit the new vulnerability. Suspicious files will be detected as Exploit.Win32.IMG-WMF.

*Updated to add information regarding ASPack packed files and HW DEP + other small correction.
Source: Viruslist.com»
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:33 pm

There is a lively, interesting discussion at «BroadBandReports» about this exploit ;)
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:38 pm

Bloodhound.Exploit.56 (Symantec)
Category 1
Discovered on: December 27, 2005
Last Updated on: December 28, 2005 06:13:42 AM

Bloodhound.Exploit.56 is a heuristic detection for the WMF SetAbortProc vulnerability (as described in BID 16074).

Type: Trojan Horse, Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows Server 2003, Windows XP

«Symantec Alerts/Threats»
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 8:47 pm

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:
•In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

•By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

««Security Advisory (912840)»»
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 29th, 2005, 9:08 pm

Last edited by Chachazz on December 30th, 2005, 11:30 pm, edited 2 times in total.
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby suebaby41 » December 30th, 2005, 7:09 pm

Link to BleepingComputer may be broken. I get the "sorry" message.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby ChrisRLG » December 30th, 2005, 7:12 pm

Sue - it worked yesterday - BC must have moved or removed the info.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Chachazz » December 30th, 2005, 7:13 pm

Yes it did work yesterday - I'm searching the site...anyone find it please post with thanks! ;)
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Chachazz » December 30th, 2005, 10:17 pm

Well, here is a new link from an Admin at Bleeping.
This is not posted on the forums - just a file download - and perhaps only for
security/hjt staff?

Here is the correct link:
http://www.bleepingcomputer.com/forums/topic39047.html

Edited: Timestamp: 30 December 2005, 07:27 PM --800 (Pacific Standard Time)
User avatar
Chachazz
Regular Member
 
Posts: 642
Joined: July 3rd, 2005, 5:33 pm
Location: Canada

Unread postby Pollux.Castor » December 30th, 2005, 11:43 pm

I tried the link posted by Chachazz. It worked for me.
User avatar
Pollux.Castor
Regular Member
 
Posts: 444
Joined: December 28th, 2005, 12:01 pm

Unread postby Pollux.Castor » December 30th, 2005, 11:44 pm

I must have tried it after it was edited.
User avatar
Pollux.Castor
Regular Member
 
Posts: 444
Joined: December 28th, 2005, 12:01 pm
Advertisement
Register to Remove

Next

Return to News Desk



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware