Re: Encountered WMF Vulnerability



Jack wrote:
> XPHome SP2, fully patched. Opened a picture link, it flashed up my
> download manager trying to download the file eid6.wmf, which shut
> before I could close it and flashed open the picture and fax viewer
> which I closed and disconnected from the internet. The following new
> process was running:
>
> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>
> Closed it and cleaned the IE cache and rebooted and it didn't restart.
> Following files were created around this time and may or may not be
> related:
>
> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>
> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>
> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>
> C:\WINDOWS\system32\CatRoot2\tmp.edb
>
> I removed the prefetch files, the catroot2 file was in use and could
> not be moved and disappeared over a reboot. Then used SR to restore
> to a point prior. Doesn't seem as if there is any obvious residual,
> but does anyone know anything esle I should do or look for. I had not
> unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
>
> http://www.grc.com/sn/notes-020.htm
>
> Thanks.

What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups courtesy of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found

--
Mike Pawlak


.



Relevant Pages

  • Re: Encountered WMF Vulnerability
    ... Ewido doesn't rank very highly here. ... >> download manager trying to download the file eid6.wmf, ... > The following is copied and pasted from the MS virus newsgroups courtesy ... > McAfee 4662 12.29.2005 Exploit-WMF ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encountered WMF Vulnerability
    ... Opened a picture link, it flashed up my ... >> download manager trying to download the file eid6.wmf, ... > The following is copied and pasted from the MS virus newsgroups courtesy ... > McAfee 4662 12.29.2005 Exploit-WMF ...
    (microsoft.public.windowsxp.security_admin)
  • Re: computer virus usegroups
    ... New Virus Stealing Information from Computer Users ... You can infect ... attempt to download from a Russian website. ... Internet Explorer to protect users of its Internet Explorer browsers ...
    (sci.med.diseases.lyme)
  • Re: hacktool.rootkit
    ... In addition to "what is a rootkit". ... > mode virus scanning, registry entry purging, etc.). ... Norton Antivirus reported the following: ... >> You can choose to go to each menu item and just download the needed files ...
    (microsoft.public.security.virus)
  • Re: AIM Send out random messages
    ... > dont want to take chances ... you want me to install the firewall (thats what ... > 5) Download ZoneAlarm from www.zonelabs.com. ... > I downloaded the latest virus definations for intellegent updator... ...
    (microsoft.public.security)