Encountered WMF Vulnerability



XPHome SP2, fully patched. Opened a picture link, it flashed up my download
manager trying to download the file eid6.wmf, which shut before I could
close it and flashed open the picture and fax viewer which I closed and
disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.


--
Regards



.