New Trojan leak - Images containing WMF-files page 1

Wed, Dec 28 2005 10:29
shhs
Posts 6,255
There is a new exploit to get Trojans on your Computer. Websites with images containing WMF-files. Exact explanation from F-Secure:

"There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.

spyware_traffic.png

The exploit is currently being used to distribute the following threats:
  Trojan-Downloader.Win32.Agent.abs
  Trojan-Dropper.Win32.Small.zp
  Trojan.Win32.Small.ga
  Trojan.Win32.Small.ev.

Some of these install hoax anti-malware programs the likes of Avgold.

spyware_warning.png

Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.

F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.

We expect Microsoft to issue a patch on this as soon as they can."

Other reports on this:

http://secunia.com/advisories/18255/
http://isc.sans.org/diary.php?storyid=972


Thu, Dec 29 2005 6:45
shhs
Posts 6,255
Update on WMF-Virus:

Ohho this gets really heavy!! So far it seems only Windows XP-machines are affected, but F-Secure reports that it is enough to have Google-Desktop installed to get the virus!!!!

It happened like this:

"The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows."

The whole web-log here:
(Original spreadin' site was registered to Michail Gorbatschow and the great "work-around": deregister Shimgvw.dll and forget all picture viewing programms....) 
http://www.f-secure.com/weblog/

And, as yesterday, more infos also here:
http://isc.sans.org/diary.php?storyid=975

There is also a nonsense Microsoft article available:
http://www.microsoft.com/technet/security/advisory/912840.mspx


Thu, Dec 29 2005 10:15
shhs
Posts 6,255

was  that a virus spread in the celebrity forum???
http://www.peachyforum.com/forums/181786/ShowPost.aspx

It was 10 minutes later deleted, so I guess, yes, here is what it looked like:
(edited the urls not clickable anymore - even by mistake!!!)

 yashmin wrote:

VERY FRESH AND NEW MAAL ENJOY. GIVE REPS AND REPLIES

Hot 3some Action xXx Video

from - Double Decker Sandwich 5 Scene 6
Starring: Kristal Summers, Trina Michaels
Synopsis: Two insatiable D-Cup vixens take on one lucky stud in every scene of this blistering 3some fest.

previews

http://img15.imagevenue.com/img.php?loc  ; oc155ℑ=6bba8_1.jpg
http://img46.imagevenue.com/img.php?loc  ; oc128ℑ=0c83a_2.jpg
http://img130.imagevenue.com/img.php?lo  ; oc82ℑ=5d16b_3.jpg
http://img132.imagevenue.com/img.php?lo ; oc122ℑ=6e2b7_4.jpg
http://img128.imagevenue.com/img.php?lo ; oc292ℑ=563db_5.jpg
http://img129.imagevenue.com/img.php?lo ; oc123ℑ=caf18_6.jpg

Download link -56.62mb
http://www.sexuploader.com/?d=  ; AQO93O


My Comment

BEWARE!!!
Hidden links in this thread - link 3 + 5!!
[url=http://Search[dot]20mbweb.com/icon/i000035.html]

My question is: Do they have virus protection at imagevenue??


Fri, Dec 30 2005 9:33
matadorstuff
UK
Posts 2,518

This crap just hit me... I went to a page from madteenies.com -- I'm pretty sure it must have been a gallery at teensmack.com -- but before it loaded, Window's default picture viewer opened up with a .wmf filename shown in the window. But my firewall stopped a .TMP file which saved in C:\ from accessing the internet. I then deleted that file, and don't seem to have anything installed, so I hope I'm OK...

Peachyforum might want to ban teensmack.com links, although I can't be 100% sure that was the culprit, as I opened several pages at the same time.

Fri, Dec 30 2005 9:50
funky2004
Amsterdam
Posts 90,340
Retired Moderator

Did I understand correctly that only computers running Windows XP SP2 are affected??

BTW just this morning I was notified by both ZoneAlarm and AntiVir with new definition-files against this.

 

 

Fri, Dec 30 2005 11:48
shhs
Posts 6,255
 funky2004 wrote:

Did I understand correctly that only computers running Windows XP SP2 are affected??



According to all bunch of articles I have read on this. It is all versions of Win XP (no matter if unpatched, SP1 or SP2) and Windows Server 2003.[ Although I have the SHIMGVW.dll on my Win2k-system, it is the 1999 version, which seems to be save??!!?? ]

 Leading German Computer magazine c't say the exploit is in the meantime (3 days) used by thousands of websites!!!

By the way, it has come out, that Lotus Notes is affected, too - more details later...
Sat, Dec 31 2005 9:50
shhs
Posts 6,255
Well, server reaction time was quite slow when I  wrote the last post - so I shelved this until now.

Many Anti-virus companys have updated their signatures. Accroding to German magazine c't the following  programmes perform well with the latest updates:

Andreas Marx from AV-Test (http://www.av-test.org/
- a company to test anti-virus software ) claims that with date of this morning 10:00 a.m. GMT following programmes recognised all of his 73 WMF-samples:

AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster

Only the scan-engines from QuickHeal (11 nicht erkannt), AVG (13), F-Prot (54), Ikarus (67) and VBA32 (67) let through the number of WMF-exploits as listed in brackets....

Anti-Virus programmes seem the best help as deregistering the library Shimgvw.dll (from Windows Picture and Fax Viewer) doesn't help with all programmes as Lotus Notes and Office 2003 reload that file, if they find it missing!!!!
And also you would have a problem watching pictures with all other programmes....


(By the way - as of yesterday not all the AV-products performed that well - read here the original results from yesterday's test:
"eTrust (VET), QuickHeal, AntiVir, Dr. Web, Kaspersky und AVG haben immerhin schon knapp über 80 Prozent identifiziert. Mit weniger als 20 erkannten Exemplaren ist die Erkennungsleistung von Command, F-Prot, Ewido, eSafe, Ikarus und VBA32 derzeit noch mangelhaft. Normans Viren-Scanner versagte in diesem Test völlig und monierte keine einzige Datei.")



Sun, Jan 1 2006 17:19
shhs
Posts 6,255
Seems like a second generation spin-off WMF-exploit starts to show up - unregonised by Virus-engines and also concerning Win-2k-Systems (finally...):

http://www.hexblog.com/2005/12/wmf_vuln.html
Mon, Jan 2 2006 11:49
shhs
Posts 6,255
 lou2005 wrote:
Seems like a second generation spin-off WMF-exploit starts to show up - unregonised by Virus-engines and also concerning Win-2k-Systems (finally...):

http://www.hexblog.com/2005/12/wmf_vuln.html


Attention the patch there was updated today two times!!
With my last check there - it was the latest version....

Definete News - Windows 2000 systems are vulnerable, too!!!
Tested it myself !!

[ Wenn Ihr gut Deutsch versteht, könnt Ihr es hier auch selber testen:
http://www.heise.de/security/dienste/browsercheck/demos/ie/wmf.shtml
additional link for German-speaking surfers - pretty difficult for others.]

More infos about the patch from Ilfak Guilfanov can be found at the Internet Storm Center:
http://isc.sans.org/diary.php?storyid=996
http://isc.sans.org/diary.php?storyid=999

P.S. Would be also great first name for a porn actor Mr. Ilfuck Bigsize


Mon, Jan 2 2006 13:59
funky2004
Amsterdam
Posts 90,340
Retired Moderator

Especially for our Dutch members:

Overal thans waarschuwingen in Nederlandse media voor een dergelijk wormvirus, dat opgedaagd is via MSN Messenger (Nederlandse versie). Komt binnen via berichten van MSN Messenger ogenschijnlijk van een bekende en men wordt uitgenodigd op een link te klikken waarachter zogenaamd een kerst/nieuwsjaar groet zit. ( 'xmas-2006FUNNY.jpg') - dit NOOIT doen. De maker van het virus krijgt de volledige controle over een besmette PC. Hij kan via het virus alle toestaanslagen volgen, wachtwoorden, internetbankieren etc. Zo kan de hacker spaarrekeningen en creditcards plunderen. Er is een (voorlopig) reparatie-programma beschikbaar bij:

http://www.hexblog.com/security/files/wmffix.hexblog13.exe

Let ook op voor waarchuwingen van MSN Messenger en je internet-provider.

Tue, Jan 3 2006 10:38
shhs
Posts 6,255
 funky2004 wrote:

Overal thans waarschuwingen in Nederlandse media voor een dergelijk wormvirus, dat opgedaagd is via MSN Messenger (Nederlandse versie). Komt binnen via berichten van MSN Messenger ogenschijnlijk van een bekende en men wordt uitgenodigd op een link te klikken waarachter zogenaamd een kerst/nieuwsjaar groet zit. ( 'xmas-2006FUNNY.jpg') - dit NOOIT doen.



Hey funky  - is it a big thing in the Netherlands. I have not read anything on this exploit with MSN Messenger in Germany. Only normal Emails with HappyNewYear.jpg...

Update on WMF:

Microsoft has written a patch and is right now translating it into the different languages apart from English. It will be available on January -Patchday, i.e. January 10th.

Tot siens for Nederlandse speakers
and cheers to all the rest
Wed, Jan 4 2006 7:24
drumasteruk
sunny south coast
Posts 1,573

Hi Lou2005,

Thanks for updates, I've hit the little bugger a couple of times now, always on 'second rate' tgps so far.

ZoneAlarmPro see's it, and if you have configured correctly will block.

Now, as a matter of interest, it shows on Linux!! mainly because its got no where to go! So if you get it there, zip it up and send it to your security provider. Or Bill GatesBig Smile [:D] (no I havnt, but think I might).

Ok, personal observations, it will affect windows98se, but seems to hesitate at which point ZA kicked in, but something had affected the mediaplayer, could'nt see what? and ghosting the program restored it perfectly.

So, six days to another patch!, that I'll forget to do a backup of!

DrumCool [H]

Wed, Jan 4 2006 21:49
JS22
Posts 20
Thu, Jan 5 2006 9:30
jackohearts
Posts 270
I'm not up to speed with the tech side of computers, so please bare with me.  Are we talking about the new deal where when you click on a page you get spun to a google page sometimes?  If so is there a way to stop this? Thanks in adavance.
Thu, Jan 5 2006 19:07
JS22
Posts 20
hi, no you are wrong about what you said about google. it is about the most serious exploit there's been for a long while. the way windows handles wmf files is the problem. it can be exploited so when it doesn't execute correctly, which is what this exploit makes it do, anything can be loaded into memory - viruses, trojans, spyware, rootkits etc. it's a zero day exploit which means there was no public knowledge about it. normally exploits are theories for up to years before you see it executed. therefore someone will have an idea how to fight it when it happens.

it doesn't have to be a wmf extension too it could look like this - picture.jpg, because it's the code in the file not the format which is used. even without this exploit it is very, very easy for people with very little knowledge to attack someone else these days by just clicking a mouse. all you need to know are the programs and sites to use, and the address you want to attack. it's important to keep you computer up to date - windows as well as your software - anti viruses etc.

microsoft realises updates on the second Tuesday of each month, they plain to patch this in 4-5 days but that's not good enough. it's important to read at least one of the links i gave earlier in this thread ALL THE WAY THROUGH. that's all you need to do. there are fixes in the links.
Fri, Jan 6 2006 14:58
shhs
Posts 6,255
WMF-Patch from Microsoft already available!!!

Microsoft has published his patch for WMF-leak 4 days earlier than up to now announced. It is designed/there are downloads for the following systems:

Microsoft Windows 2000 Service Pack 4 –

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – 

Microsoft Windows XP Professional x64 Edition –

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – 

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – 

Microsoft Windows Server 2003 x64 Edition –


You can get it here:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
or via windows Update.

you are not really sure about it, then check also these links by peachy-member Js22; they have been updated with the latest issues - on where and how...
 JS22 wrote:
hi, here's a link which will help. http://castlecops.com/a6445-WMF_Exploit_FAQ.html here's another http://www.grc.com/sn/notes-020.htm
Wed, Feb 1 2006 3:20
Gemini37
United States
Posts 2,808
Retired Moderator
Thanks for all the info lou2005...we appreciate it. Yes [Y]

Sort Posts: