To All,
Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction. With Microsoft Explorer or
Outlook, you are automatically infected if you recieve infected
email or view a site with the worm. The problem is Windows WMF files
have the capability to execute external code. This is a virus
writer's dream. He can do anything he wants.
The structure of the worm means it will be difficult or impossible
to detect by antivirus programs, and it may be extremely difficult
or impossible to remove from your computer.
Microsoft has no patch at the moment, and the procedure they
currently recommend to reduce the hazard of infection may not work.
Here's more info:
------------------------------------------------------------------
Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The
vulnerability seems to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable,
several attack scenarios come to mind where the system can still
be compromised.
http://isc.sans.org/diary.php?storyid=992
------------------------------------------------------------------
This may be the worst worm that anyone could possibly invent. Here's
a portion of a summary by a Slashdot reader:
------------------------------------------------------------------
It's worse than that(Score:1, Insightful)
by Anonymous Coward on Sunday January 01, @01:11PM (#14374914)
[...]
This is looking truly horrible. On Tuesday morning zillions of
Windows desktops will be fired up for the first time in a week or
two. This thing's already in widespread use by a number of malware
distribution networks for the usual reasons. As such it's a
nightmare for network and system admins with Windows machines to
look after (and us security people trying to provide advice &
assistance for them...)
[...]
I will stick my neck out here and make a prediction. Virtually all
organisations with Windows machines are effectively wide open to
total compromise by a reasonably informed person. That means much
of the IT dept as well as significant numbers of the 'interested
poweruser' types, developers with a casual interest in security,
and anyone who's heard of this and is capable of running the
findingm, running and using the new exploit, basically. Of course
we're all tweaking our IDSes and antivirus, locking things down as
tight as possible in the 48 hours remaining, but... *shudder*.
For ten years I've been waiting for Microsoft's luck to run out.
This is about #3 on my list of catastrophic MS incidents. There
aren't many ways things could be worse.
url:
http://it.slashdot.org/it/06/01/01/1550258.shtml
------------------------------------------------------------------
Other sites confirm the serious nature of the problem:
------------------------------------------------------------------
Re: WMF Vulnerability leads to compromised computers
*** ALL USES OF WINDOWS, PLEASE READ BELOW. ***
There is a very major security problem with Windows, all variants
back to Windows 98.
All systems are at risk. Many are already infected. There are few
options for an effective defense.
See our web page on this issue:
http://www.softprose.com/information/antivirus/wmf.shtml
Greetings,
This is an urgent advisory of a real-life threat to all Windows
computers.
The Windows Metafile Format (*.WMF) image format, developed by
Microsoft, has been shown to have a critical flaw that allows ALL
VARIANTS of Windows computers after and including Windows 98 to be
taken over by criminals SIMPLY BY VIEWING images on a web page or
images contained in Email- Including preview.
The WMF vulnerability is not a virus in itself- it is, instead,
known as an "Exploit", or a pathway that a Virus (or spyware, or
any number of malware variants) can use to be inserted into a
computer. Unfortunately, the bad guys found this hole before the
"white hats" got involved, so this problem is already showing up
on user's computers.
This is a SEVERE problem, that is already being exploited for
commercial and criminal gain. The spyware program "Winhound" is
the most common, and prominent, example using this security hole,
but many other programs have been found that are taking advantage
of it. Many of these programs use stealth techniques to hide on
your PC, and record keystrokes, logins, credit card, and all sorts
of other information of interest to criminal enterprises.
Other commercial programs using this security hole include
Winfixer and AVGold. There will probably be many more
Although Winhound is a very busy, obvious, and obnoxious
infestation, it is not the worst- the worst infestation is that
which you do not know about. There is no defense currently
available for this problem, and fully-patched systems are being
infected. No current antivirus software is defending against this
threat. As there is a direct financial incentive, the number and
variety of softwares using this security flaw are expanding
exponentially in number.
This has the capacity of being the single greatest security threat
ever discovered. The number of machines that are vulnerable
include every single Windows computer in the world. There is
currently no organized defense. The number and variety of attacks
are quite large, and they are not being addressed at this time by
security products.
The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files
will execute just fine if they are called *.gif, *.jpg, *.bmp, and
other names! ANY GRAPHIC FILE can conceal the infection.
url:
http://www.aota.net/forums/showthread.php?p=143053
------------------------------------------------------------------
Everyone recommends to stop using the Microsoft Explorer browser and
switch to Firefox. Firefox is still vulnerable, but at least it
requires you go through a user dialog to execute the worm. Here is
the Firefox url:
http://www.mozilla.com/firefox/
I use Opera 8.51, but I haven't found if it is vulnerable.
Now's the time to back up all your critical files on a separate
computer and keep it away from the web.
Best Wishes and Good Luck to All.
Mike Monett