noway1
join:2004-11-29
| reply to gracie
Re: Windows MetaFiles still vulnerable
said by gracie  :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
| reply to redxii
i got an alert about this issue from "computer associates" ("etrust"). here is their "workaround"/"recommendations":
"Reduce exposure by disabling the automatic rendering of WMF files.
To unregister shimgvw.dll, execute the following command:
regsvr32 /u shimgvw.dll
To enable shimgvw.dll, use the following command:
regsvr32 shimgvw.dll" -end CA "recommendations"
my question is, how do we "disable automatic redering of WMF files"? i wasn't sure if the instructions to "unregister" "shimgvw.dll" were for doing that, or not.. |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to gracie
WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.
this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?
If that fails, I'm betting that teatimer and processguard will catch the registry and executions respectively.
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to gracie
said by gracie :WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore. this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo. I havn't applied the hack myself but just skimming through related registry classes it appears there is a lot of functionality which would be broken.
I am wondering if we could narrow it down to a particular CLSID code we could set the kill on instead?
--
Get hpHOSTS! Member ASAP
George Bush is lying to you. |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| said by hpguru :skimming through related registry classes it appears there is a lot of functionality which would be broken. indeed...i just had a problem with my ocr program saving a file it scanned in notepad. was able to copy and paste the text, open notepad on my own, and save the file fine. suspect it's related.
hopefully, you gurus will come up with a better workaround, or ms will patch quickly.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| reply to jp10558
said by jp10558 :Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been? I'd assume that all firewalls that provide outbound protection would prompt the user, unless they've already created a rule allowing all FTP traffic from the windows FTP client program.
What you're assuming here is that people do have a good firewall. Nine tenths of them don't.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
| reply to jp10558
That would seem likely but who knows. I have read that BOClean already had this trojan covered over a month ago. If it all starts with a simple trojan being downloaded then that would seem simple enough to take care of but I'm not so sure that is all that is happening. Does the exploit cause the trojan download to be attempted using ftp or is the exploit code opening up another hole?
I am reading this from a user on GRC: The question was asked, "Now all we need to find out if the action of right clicking it can infect the system?"
"Said by Not John Lennon"
It appears it can. On my test system so far, all I can get it to do is crash & restart the shell. (Explorer.exe) It doesn't seem to actually infect the system & it's doing it (restarting explorer) just by pointing at the file. No chance to right click, left click, swear at it or anything else. Explorer immediately crashes & restarts. Weird. On another system, it infected it when the file was right clicked. Both systems XP Pro.
I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files.
|
|
jp10558
Premium
join:2005-06-24
Willseyville, NY | reply to redxii
I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch?
How would we do that? |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
1 edit | reply to hpguru
Control Panel -> Folder Options -> File Types. Find and delete EMF and WMF.
Edit: Ok that will keep it from downloading automagically but it will still execute when browsing to a folder with the files ... |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | reply to jbob
said by jbob :I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files. Ok in short unless one unregisters shimgvw.dll (doing so, I didn't require a restart) it is going to execute code. I told Irfanview to register WMF and EMF and they were still able to execute code even outside of Irfanview.
Again, it only runs with the same privileges as the user.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. |
|
prana
join:2005-03-22
Australia | reply to jbob
Right click infected my sandbox.
I have posted all samples and related DLLs to an AV vendor for signatures.
|
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to jp10558
said by jp10558 :I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch? How would we do that? once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
KyeU
join:2003-12-31
Canada
| reply to redxii
I've created two Proxomitron filters to help protect the user against downloading/loading .WMF images.
Web Filter:
[Patterns]
Name = "Kill .WMF [Kye-U]"
Active = TRUE
Bounds = "<*>"
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"
Header Filter:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.wmf(*)\1$TST(\1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with .WMF Extension Killed\k))"
Replace = "\1" |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY | Thanks Kye-U. With this, do I still need to disable Windows Picture Viewer? |
|
KyeU
join:2003-12-31
Canada
1 edit | It would catch most .WMF files I would think. The Web Page Filter kills most standard images with .WMF extension, and the Header Filter catches the connections to *.WMF, this is because heavily encrypted JS files are difficult to match, but their connection requests are out in the open 
I would think it is still safe to disable Windows Picture Viewer, or perhaps even associating the .WMF file extension to Notepad (or another file). |
|
Chip
Premium
join:2001-12-23
Connecticut
| said by KyeU :I would think it is still safe to disable Windows Picture Viewer, or perhaps even associating the .WMF file extension to Notepad (or another file). Here's what I tried. I changed the association for WMF/EMF from the viewer to the Foxit pdf reader.I then went to crackz and got the warning box shown above. So far I haven't got the same symptoms that RedXII1234 got when he initially went to the site.
I'm going to take some time and go through the machine and see if I find anything suspicious.
--
The three great strategies for obscuring an issue are to introduce irrelevancies, to arouse prejudice, and to excite ridicule--Bergen Evans |
|
Libra
Premium
join:2003-08-06
USA
| reply to redxii
said by redxii :Again, it only runs with the same privileges as the user.
REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra |
|
pier5
join:2002-03-27
34312 | reply to Chip
bestserials had this wmf exploit but maxthon/IE opened a dialog asking if I wanted to view the WMF file with its associated viewer. I said "No" and the infection was prevented. |
|
KyeU
join:2003-12-31
Canada
| reply to redxii
Beehappyy uses 4 methods to infect the user.
1. Loads free.anr through "{CURSOR: url("free.anr")}", which downloads xxx.exe to the C:\ Drive
2. Loads an IFRAME with the .WMF exploit.
3. Loads a tiny Java applet: "BlackBox.class", which modifies the Windows permissions I think.
4. Uses the Windows CHM Help File exploit. |
|
