New Windows Exploit

Apparently, there's a new one floating around<br style="font-weight: bold; color: yellow;">
<br style="font-weight: bold; color: yellow;">
Stolen from somethingawful.com / kiwi.vg:

WHAT IS IT?

There is a new exploit out that uses WMF (windows metafile format)
files to infect a computer. All you have to do to get infected is view
a webpage that has the image on it, or access an infected image that is
on your computer. That means the forums can be a vector for infection
too.

WHO IS VULNERABLE?

The exploit affects Firefox, Internet Explorer, and any other browser
that displayes or downloads the file into the cache on the local
machine. The file could also be a WMF renamed to any other image type,
or possible other filetypes. Anything that puts the image exploit onto
your computer or opens it up in windows fax viewer or the part of
windows that generates thumbnails of WMF files is a vulnerability. This
means any vector that puts the image onto your computer (wget, browser,
email, IM, etc) can potentially cause the problem.

This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003).
USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still
downloaded to your cache in most cases, but it does reduce your chances
somewhat since the image is often not displayed in the browser. But if
you then interact with the file in any way (thumbnail it, Google
Desktop, hover over with the mouse) that causes it to be handled by the
windows subsystem responsible for WMF then you will have problems. Once
again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT
SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.

WHAT DOES IT DO?

The exploit can be used to drop viruses, trojans, installers etc
onto your computer when the exploit is activated (when the file is
parsed by the part of windows with the problem). It does not do
anything by itself until it is activated. There have been several
reports of trojans being downloaded, which then download other things,
other spyware, etc. Some of these are "SpyAxe", "AYL" trojan
downloader, "ASC" trojan, and other stuff.

WHAT YOU CAN DO TO HELP PROTECT YOURSELF

1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the
definitions right away after installing - they auto-update but you want
to be sure you have the latest. (Your goal is to have an antivirus
software with a realtime scanner that detects the exploit itself, and
not just the payload that it drops. NOD32 does this, at least for this
variant.)

Even if you think you are safe, scan your Windows computer anyway.
ClamWin appears to catch this, but it doesn't have a realtime scanner.
SAV Corporate 10.2 does not catch it outright (the bloodhound
heuristics may) but Symantec's own site says that it possibly may never
work fully for this due to something about how the virus works. AVG,
McAfee, Trend are unknowns at this point. I have personally tested
NOD32 and found that it's AMON on-access scanner stopped the image as
soon as it was saved to the cache, before it was able to execute
anything. NOTE: SCAN ALL FILES. Some AV solutions only scan
"infectable" files and do not scan image files because the program
thinks they are safe. Check for an option to scan all file types and
make sure that is enabled.

UPDATE: Most AV companies should have definitions updated by now,
but check to be sure that they protect against the actual exploit
itself, not just against whatever trojan the exploit drops on the
computer.

2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative
browser will reduce your risk because it does not display the image.
However the image is still downloaded to your cache, and some browsers
prompt you to open the file - which you should not do!

3. TURN OFF SALR's feature that makes text links into images. If
you have that feature turned on, someone could make just a text link
that displays the infected image in your browser.

4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.

5. USE COMMON SENSE - Don't go to links you don't trust, don't open
files you aren't expecting, including suspicious email or IM's, etc.

6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one
quickly, but you really should be up-to-date on everything else anyway.

7. AVOID IMAGE SEARCHING and visiting webpages you don't trust.
Some of the places this image has been popping up are: eBay XBOX
auctions, porn sites, google image search, wikipedia, myspace, other
forums, etc - places where people can post their own images. If you
have a competent realtime scanner that can catch the image before it
executes anything you are ahead of the game here.

BONUS TECHY STUFF

8. You can try unhooking the part of Windows that views those image
files. To do this, click Start -> Run and type regsvr32 /u
shimgvw.dll then press OK. You will get a confirmation message. To undo
this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has
a minimal benefit - it only disables the image viewer itself. It
doesn't prevent against viewing the exploit image in Internet Explorer,
for example. Messing around with this is at your own risk

BOTTOM LINE: If you use Windows, you will not be 100% safe from
this exploit until the problem in windows is patched - there is no
official patch yet.

Uhh... Hurray?

The BBC News article about this is here, for those that wants. Seems to be taking Microsoft a while to respond to this though...

---

My site

What is with this need to f**k up peoples machines... drives me nuts.

If these people were really smart they'd go over to Microsoft and give them a list of exploits in return for hundreds of thousands of dollars, since they would save much more than that not having to search and scour for the problem themselves. That or MS already knows and has a team specifically designed to exploit these problems.

Symantec and Microsoft do write all the viruses after all. That would make sense, actually.

---

Blame it on Microsoft, God does.

I think the real question here is, how in the hell can an image file contain a virus?

---

"If you talk at all during this lesson, you have detention. Do you understand?"

• My yr11 Economics teacher

It doesn't contain it, but rather exploit the way that it's viewed usually, those ones are just because Windows likes to do a billion things with simple items, so instead of it being nice and modular, everything is integrated and thus something simple and really quite stupid can cause a huge hassle.

3vil. :arse:

---

What the Snarkpitters listen to!

So, like... viewing this image is like being able to comprehend the purpose of life: once you know, you just don't exist anymore. once you SEE the picture, your computer goes kaput.

I wanna see...

---

I tried sniffing coke, but the ice cubes kept getting stuck in my nose.
http://www.dimebowl.com