Maker Pro
Maker Pro

A Very Dangerous Worm in Windows Metafile Images (WMF)

K

Ken Smith

Jan 1, 1970
0
I just had a great idea that I hearby make public domain:

Someone could write a *.WMF worm that automatically downloads and installs
Linux on all the computers that it can infect.
 
J

John Larkin

Jan 1, 1970
0
To All,

Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction. With Microsoft Explorer or
Outlook, you are automatically infected if you recieve infected
email or view a site with the worm. The problem is Windows WMF files
have the capability to execute external code. This is a virus
writer's dream. He can do anything he wants.

It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.

"When in doubt, execute it."


John
 
M

Mike Monett

Jan 1, 1970
0
To All,

Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction. With Microsoft Explorer or
Outlook, you are automatically infected if you recieve infected
email or view a site with the worm. The problem is Windows WMF files
have the capability to execute external code. This is a virus
writer's dream. He can do anything he wants.

The structure of the worm means it will be difficult or impossible
to detect by antivirus programs, and it may be extremely difficult
or impossible to remove from your computer.

Microsoft has no patch at the moment, and the procedure they
currently recommend to reduce the hazard of infection may not work.
Here's more info:

------------------------------------------------------------------

Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.

This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The
vulnerability seems to be in gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable,
several attack scenarios come to mind where the system can still
be compromised.

http://isc.sans.org/diary.php?storyid=992

------------------------------------------------------------------

This may be the worst worm that anyone could possibly invent. Here's
a portion of a summary by a Slashdot reader:

------------------------------------------------------------------

It's worse than that(Score:1, Insightful)
by Anonymous Coward on Sunday January 01, @01:11PM (#14374914)

[...]

This is looking truly horrible. On Tuesday morning zillions of
Windows desktops will be fired up for the first time in a week or
two. This thing's already in widespread use by a number of malware
distribution networks for the usual reasons. As such it's a
nightmare for network and system admins with Windows machines to
look after (and us security people trying to provide advice &
assistance for them...)

[...]

I will stick my neck out here and make a prediction. Virtually all
organisations with Windows machines are effectively wide open to
total compromise by a reasonably informed person. That means much
of the IT dept as well as significant numbers of the 'interested
poweruser' types, developers with a casual interest in security,
and anyone who's heard of this and is capable of running the
findingm, running and using the new exploit, basically. Of course
we're all tweaking our IDSes and antivirus, locking things down as
tight as possible in the 48 hours remaining, but... *shudder*.

For ten years I've been waiting for Microsoft's luck to run out.

This is about #3 on my list of catastrophic MS incidents. There
aren't many ways things could be worse.

url: http://it.slashdot.org/it/06/01/01/1550258.shtml

------------------------------------------------------------------

Other sites confirm the serious nature of the problem:

------------------------------------------------------------------

Re: WMF Vulnerability leads to compromised computers

*** ALL USES OF WINDOWS, PLEASE READ BELOW. ***

There is a very major security problem with Windows, all variants
back to Windows 98.

All systems are at risk. Many are already infected. There are few
options for an effective defense.

See our web page on this issue:

http://www.softprose.com/information/antivirus/wmf.shtml

Greetings,

This is an urgent advisory of a real-life threat to all Windows
computers.

The Windows Metafile Format (*.WMF) image format, developed by
Microsoft, has been shown to have a critical flaw that allows ALL
VARIANTS of Windows computers after and including Windows 98 to be
taken over by criminals SIMPLY BY VIEWING images on a web page or
images contained in Email- Including preview.

The WMF vulnerability is not a virus in itself- it is, instead,
known as an "Exploit", or a pathway that a Virus (or spyware, or
any number of malware variants) can use to be inserted into a
computer. Unfortunately, the bad guys found this hole before the
"white hats" got involved, so this problem is already showing up
on user's computers.

This is a SEVERE problem, that is already being exploited for
commercial and criminal gain. The spyware program "Winhound" is
the most common, and prominent, example using this security hole,
but many other programs have been found that are taking advantage
of it. Many of these programs use stealth techniques to hide on
your PC, and record keystrokes, logins, credit card, and all sorts
of other information of interest to criminal enterprises.

Other commercial programs using this security hole include
Winfixer and AVGold. There will probably be many more

Although Winhound is a very busy, obvious, and obnoxious
infestation, it is not the worst- the worst infestation is that
which you do not know about. There is no defense currently
available for this problem, and fully-patched systems are being
infected. No current antivirus software is defending against this
threat. As there is a direct financial incentive, the number and
variety of softwares using this security flaw are expanding
exponentially in number.

This has the capacity of being the single greatest security threat
ever discovered. The number of machines that are vulnerable
include every single Windows computer in the world. There is
currently no organized defense. The number and variety of attacks
are quite large, and they are not being addressed at this time by
security products.

The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files
will execute just fine if they are called *.gif, *.jpg, *.bmp, and
other names! ANY GRAPHIC FILE can conceal the infection.

url: http://www.aota.net/forums/showthread.php?p=143053

------------------------------------------------------------------

Everyone recommends to stop using the Microsoft Explorer browser and
switch to Firefox. Firefox is still vulnerable, but at least it
requires you go through a user dialog to execute the worm. Here is
the Firefox url:

http://www.mozilla.com/firefox/

I use Opera 8.51, but I haven't found if it is vulnerable.

Now's the time to back up all your critical files on a separate
computer and keep it away from the web.

Best Wishes and Good Luck to All.

Mike Monett
 
M

Mike Monett

Jan 1, 1970
0
Mike said:
To All,

Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction. With Microsoft Explorer or
Outlook, you are automatically infected if you recieve infected
email or view a site with the worm. The problem is Windows WMF files
have the capability to execute external code. This is a virus
writer's dream. He can do anything he wants.

[...]

Update: Opera is not vulnerable. You have to work hard to get infected.

Here is more information from Rijk van Geijtenbeek in the opera.general
newsgroup:

"Opera cannot display WMF files natively, so it is not vulnerable
in itself. With the default configuration Opera opens the download
dialog for such files. If you click 'Open' and the default handler
is the 'MS Picture and fax viewer', you can apparently be infected
by malicious WMF files. So treat WMF files with the same caution
as EXE and BAT etc files, I'd say. And don't change Opera's
settings to directly open such files..."

Go Opera! Beats the pants off MSIE and Firefox.

Mike Monett
 
D

Donald

Jan 1, 1970
0
John said:
It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.

"When in doubt, execute it."

Wasn't there a rumor that M$ had back doors for govm't snoops ??

Maybe it wasn't a rumor after all.

donald
 
J

John Perry

Jan 1, 1970
0
John said:
It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.

"When in doubt, execute it."

I'm sure Gates is one of the main sources of the mindset that generates
crap like this, but I really don't think he's done any serious
programming since Microsoft Basic (the only _good_ thing to originate in
Microsoft, by the way). He bought DOS from a Real Programmer, and
since, he's been a corporate bigwig.

Yeah, he may have been in on toplevel design and corporate design goals,
but...

John Perry
 
D

David Brown

Jan 1, 1970
0
John said:
It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.

"When in doubt, execute it."


John

I believe the MS Office clip art file format also has the option of
including macro viruses, though I never heard of any real exploits.
Windows font files can also have viruses, since they are at heart dll's.
 
F

Frank Bemelman

Jan 1, 1970
0
This is a very serious problem. Watch the internet melt tomorrow when
everyone comes back from XMas vacation.

Hahahahaha.....
 
M

Mike Monett

Jan 1, 1970
0
JeffM said:
A patch for NT-based systems [1] http://66.102.7.104/search?q=cache:...atch+the-seriousness-of-the-WMF-vulnerability
.
.
[1] There is no patch for DOS-based Windoze.

There is a vulnerability checker at

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more

Several people report their results on Win98. Apparently Win98 shows as
being vulnerable, but two people running Win98SE say their system reports
not vulnerable.

I am running Win98SE with the Final Update. The test report says it is
not vulnerable. A brief look at the source indicates it may not be able
to find the entry points in the Win98SE version of gdi32.dll.

Wishful thinking says maybe the virus writers could have the same problem
with Win98SE, and anyway they will be going after w2k and xp systems.
Somehow that doesn't make me feel better.

The author emphasizes he checks only one vulnerability and there may be
more. So it is not safe to assume that Win98SE or later OS's are
invulnerable to this problem even if the temporary patch is applied.

This is a very serious problem. Watch the internet melt tomorrow when
everyone comes back from XMas vacation.

Mike Monett
 
W

Winfield Hill

Jan 1, 1970
0
Frank Bemelman wrote...
Mike Monett wrote...


Hahahahaha.....

Most of us don't visit malicious web pages. And hopefully
by now most of us have our email program set not to display
email links or images. Wait, I don't know, is that feature
available yet in Microsoft's Outlook and Outlook Express?

Hmm, wait, what about web-based email programs, do they let
you set a default to preview the contents of a spam email
without showing the embedded images?
 
M

Mike Monett

Jan 1, 1970
0
John Larkin wrote:

[...]
It took the genius of Bill Gates to design an os that allows worms to
be resident in viewable images. As I recall, Windows had the same
problem with true jpeg files once.

"When in doubt, execute it."

John

According to the CERT advisory, a wmf file can have many extensions:

------------------------------------------------------------------

"Please note that Windows Metafile data may be saved with an
extension other than WMF. A file with any extension that is
associated with Windows Picture and Fax Viewer can be used to
exploit this vulnerability. By default, Windows Picture and Fax
Viewer is associated with the following file extensions:"

"BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF"

http://www.kb.cert.org/vuls/id/181038

------------------------------------------------------------------

The IM worm that was released yesterday was "http://[snip]/xmas-2006
FUNNY.jpg".

So we can't tell if an image file is safe by looking at the extension.

Pure chaos.

Mike Monett
 
J

John Devereux

Jan 1, 1970
0
Winfield Hill said:
Frank Bemelman wrote...

Most of us don't visit malicious web pages.

<SNIP>

It might only takes an external graphics ad on an otherwise
"respectable" site.
 
P

Pooh Bear

Jan 1, 1970
0
Winfield said:
Most of us don't visit malicious web pages.

It's easy to redirect you there.
And hopefully
by now most of us have our email program set not to display
email links or images. Wait, I don't know, is that feature
available yet in Microsoft's Outlook and Outlook Express?

I've just been looking and can't find anything relevant to turn
on/off.
Hmm, wait, what about web-based email programs, do they let
you set a default to preview the contents of a spam email
without showing the embedded images?

Dunno mate. Good luck. Put a condom on your PC ! ;-)

Graham
 
W

Winfield Hill

Jan 1, 1970
0
Pooh Bear wrote...
It's easy to redirect you there.

Right, but I can be fairly confident NSC and Linear Technology
aren't going to do that. And I won't be visiting Porn-R-Us or
Internet-Gambling-Winner-Now, etc.
I've just been looking and can't find anything relevant to
turn on/off.

That could mean you don't have it. Mozilla's Thunderbird email
program has its shields up by default, which is easily seen as
your email displays with empty boxes where images are intended,
along with a "show images" button, which you can activate once
you're completely confident that specific email is from a safe
source. The next email you examine once again has block images.
Dunno mate. Good luck. Put a condom on your PC ! ;-)

Indeed.
 
F

Frank Bemelman

Jan 1, 1970
0
Winfield Hill said:
Frank Bemelman wrote...

Most of us don't visit malicious web pages. And hopefully
by now most of us have our email program set not to display
email links or images. Wait, I don't know, is that feature
available yet in Microsoft's Outlook and Outlook Express?

Outlook Express has that choice. I read my email as plain text.
Hmm, wait, what about web-based email programs, do they let
you set a default to preview the contents of a spam email
without showing the embedded images?

I suppose some folks may catch this new virus. But if the internet
is going to melt down tomorrow, I'd expect to hear more about
it, other than a worried post from Mike Monett.
 
P

Pooh Bear

Jan 1, 1970
0
Frank said:
Outlook Express has that choice. I read my email as plain text.

I saw that option too. I didn't reckon it was related to the preview
pane though.

My Windows is fully patched, so I may not have the vulnerability in OE
anyway.

I suppose some folks may catch this new virus. But if the internet
is going to melt down tomorrow, I'd expect to hear more about
it, other than a worried post from Mike Monett.

It has to start somewhere. I was initially sceptical but investigated
it. As time passed I saw that the alerts were increasing in severity.

This is a real one.

I've finally installed Opera ( after years of my IT friends saying I
should ) as my default browser. It's better than IE anyway ! Page
rendering is blisteringly fast. It is essentialy unaffected by this
current issue. I recommend it.

" Opera 8.x with all vendor patches installed and all vendor
workarounds applied, is currently affected by one or more Secunia
advisories rated Not critical "

http://secunia.com/product/4932/

Graham
 
W

Winfield Hill

Jan 1, 1970
0
John Devereux wrote...
<SNIP>

It might only takes an external graphics ad on an otherwise
"respectable" site.

Yes. But the keyword is "respectable" - So, I'd say even if
you install Ilfak Guilfanov's WMF-Exploit patch (on W2000 sr4
and XP sr2 systems only, SFAIK) - I have done so - be careful
to only visit *very* safe well-known websites.

Ilfak's patch blocks WMF files from executing any internal code
they might carry (this was a MS Windows design feature intended
to implement a "SETABORT escape sequence," but able to do more).

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
http://blog.ziffdavis.com/seltzer/archive/2005/12/31/39650.aspx
http://www.grc.com/sn/notes-020.htm
http://www.f-secure.com/weblog/
http://ipadventures.com/

Once Microsoft eventually offers a fix, and it's installed, and
after a few days (weeks?) multiple ALL CLEARs have been issued,
Ilfak's patch can be removed (using Add/Remove Programs). Then
we can begin random web-exploring once more. :) Sheesh!
 
P

Pooh Bear

Jan 1, 1970
0
Winfield said:
Pooh Bear wrote...

Right, but I can be fairly confident NSC and Linear Technology
aren't going to do that. And I won't be visiting Porn-R-Us or
Internet-Gambling-Winner-Now, etc.

If you're a 'safe surfer' I'm sure that's true. I never fail to be
amazed by the pop-ups that some 'serious' sites have though.

That could mean you don't have it.

I suspect that's the case. My Windoze ( 98SE ) is fully patched and up
to date with all the Microsoft security issue fixes installed.

I 'passed' the current online test for this exploit btw. It's not
*guaranteed* but helps put my mind at rest.
Mozilla's Thunderbird email
program has its shields up by default, which is easily seen as
your email displays with empty boxes where images are intended,
along with a "show images" button, which you can activate once
you're completely confident that specific email is from a safe
source. The next email you examine once again has block images.


Indeed.

Btw - I finally installed Opera as my default browser ( after
seemingly years of being told by my IT friends that it's the 'dog's
bollocks' ) because it's unaffected by this issue. . I'd recommend it
! Page rendering is way faster than IE for starters. I don't think
I'll be going back.

Graham
 
Top