Re: Encountered WMF Vulnerability
- From: "MAP" <mikepawlak2REM@xxxxxxxxxxxxxx>
- Date: Sun, 1 Jan 2006 08:40:44 -0500
Jack wrote:
> XPHome SP2, fully patched. Opened a picture link, it flashed up my
> download manager trying to download the file eid6.wmf, which shut
> before I could close it and flashed open the picture and fax viewer
> which I closed and disconnected from the internet. The following new
> process was running:
>
> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>
> Closed it and cleaned the IE cache and rebooted and it didn't restart.
> Following files were created around this time and may or may not be
> related:
>
> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>
> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>
> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>
> C:\WINDOWS\system32\CatRoot2\tmp.edb
>
> I removed the prefetch files, the catroot2 file was in use and could
> not be moved and disappeared over a reboot. Then used SR to restore
> to a point prior. Doesn't seem as if there is any obvious residual,
> but does anyone know anything esle I should do or look for. I had not
> unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
>
> http://www.grc.com/sn/notes-020.htm
>
> Thanks.
What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still infected.
http://www.ewido.net/en/
The following is copied and pasted from the MS virus newsgroups courtesy of
David Lipman.
AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
--
Mike Pawlak
.
- Follow-Ups:
- Re: Encountered WMF Vulnerability
- From: Richard Urban
- Re: Encountered WMF Vulnerability
- From: Jack
- Re: Encountered WMF Vulnerability
- References:
- Encountered WMF Vulnerability
- From: Jack
- Encountered WMF Vulnerability
- Prev by Date: Cannot enable software DEP for all programs - why?
- Next by Date: Re: Best friend Raiding Computer
- Previous by thread: Encountered WMF Vulnerability
- Next by thread: Re: Encountered WMF Vulnerability
- Index(es):
Relevant Pages
|
