Most Corrupt & Incompetent Gang Aside W

and big thanks to great posters at: http://www.dslreports.com/forum/remark,15115819~days=9999~start=80

HaloScan.com - Comments: "Regarding these workarounds, none of them are perfect as you can still have a WMF file spoofed.

Also, from SANS:

http://isc.sans.org/diary.php?rss

Update 23:19 UTC: Not that we didn't have enough 'good' news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ('magic bytes') and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you."
================
The correct link for IE-SPYAD is here:

https://netfiles.uiuc.edu/ehowes/...ww/ resource.htm

Thee is an interim update for IE-SPYAD available now:

http://www.dslreports.com/forum/ ...remark,15121689

That update is designed to be installed on top of an existing install of IE-SPYAD.

Best,Eric L. Howes Eric Howes | Homepage | 12.29.05 - 12:21 am |
==============
Extension do not matters (even .tiff or .gif files could be set as wmf-exploit), so beware.

And it works under any program which will use WMF by DLL (IE,Opera,FF,Mozilla), so only workaround with disabling WMF DLL works.
-------------------------
Alex, the PreEmpt product from PivX blocks this exploit (http://www.pivx.com/HomeOffice/). I am not assosciated with PivX, just a happy user.

Later, EricB
----------------------------
WTF!? WHAT IS THIS KRAP!?
We are reduced to imbecilles exchanging TIPS
in the schoolyard about ways to
get PROTECTION from the KRAP
we are FORCED to PAY FOR WITHOUT CHOICES
that runs our computers. This is like FEMA in NOLA, and I'M MAD AS HELL //js
MooHead in Havan Cowtowne, damnit 53120
===============
[Patterns]
Name = "Kill Infected .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 15
Match = "[%01][%00][%09][%00][%00]"
Replace = "k$ALERT(Infected .WMF File Killed on:nnu)"

This filter will kill any file that matches the magic bytes for infected files.

I see it as a strong workaround or prevention.

Alex, can you please add this to the list? Thanks!
Kye-U | 12.29.05 - 5:26 pm |
=============================

Geek Goddess gracie Premium,MVM 2003-07-15 Loc:confusion ·Verizon Online DSL

reply to RedXII1234 and a bit more: »www.theinquirer.net/?article=28590 : "...you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft. * UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway." -- graciella! "not tonight dear, I have DSL." Creating SuperOrganizations Worldwide Creating & Hosting SuperSites Worldwide

===============

i don't know if it will help, but i added the "WMF" file extention to "scriptdefender's" list of protected "scripts"..
--------------------

prana Member 2005-03-22 Loc:Australia edit: Wednesday December 28th, @08:09PM

The exe file it downloads... cj.exe Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies WMF exploit has not got a standard Magic Byte 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 . ..R...=... non standard magic byte of D7 CD C6 9A The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics. Grabs local time. Checks for Windows Internet Connectivity Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll. Registers CLSID to run as a BHO Opens FTP connection to download a file 66.36.231.141 with username user21 , FTP username password user21:ma5gjdH5 Adds the registry name for the below classes Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object The following keys are added in the CLSID classes. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32 Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file. Creates mutex name "3094flcxvdf" The FTP site! C:\>ftp 66.36.231.141 Connected to 66.36.231.141. 220 sst User (66.36.231.141none)): user21 331 Password required for user21. Password: 230 User user logged in. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> pwd 257 "/" is current directory. ftp> ls -la 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> The following files are created in your system32 dir dvob.dll oewrgm.dll wqxk.dll sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary edited: some updated info

KyeU Member 2003-12-31 Loc:Canada ·Rogers Hi-Speed

reply to RedXII1234 Beehappyy uses 4 methods to infect the user. 1. Loads free.anr through "{CURSOR: url("free.anr")}", which downloads xxx.exe to the C:\ Drive 2. Loads an IFRAME with the .WMF exploit. 3. Loads a tiny Java applet: "BlackBox.class", which modifies the Windows permissions I think. 4. Uses the Windows CHM Help File exploit.

Additional info:

»isc.sans.org/diary.php?storyid=972
»www.securityfocus.com/bid/16074/info
---------------------

Watashi Wa 1337 Desu RedXII1234 Premium,Mod 2001-02-26 Loc:localhost ·Verizon Online DSL ·BellSouth Host: /dev/null Broadband Tweaks ISDN Fiber Optic AOL Broadband edit: Wednesday December 28th, @08:57PM

reply to Libra said by Libra : REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra You should be fine, but explorer will keep crashing and you wouldn't want to risk accidently running it in the admin account. unregister it anyway until it is fixed The reason I mentioned that is because Security Focus claims that it will run with SYSTEM privileges, regardless of the logged on user's privileges. However, I am unable to find such behavior. It always runs with the user's privs. Can't comment on 98SE. I don't have a virtual machine for that even though I have the install CD. Windows 2000 SP4 didn't seem to have any WMF/EMF associations or the picture viewer that XP/2003 has.. so it is safe from automagic execution in explorer or on the web.

Also, I saw over on /. that metasploit has a plugin for this exploit.
--------------
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.Received another e-mail stating: "If the file is sent with a different extension Windows may still open the file and become infected. (Magic number detection. The first five bytes are [expressed as octal numbers]:
\327\315\306\232\000)".
============================
I was referring to »www.viruslist.com/en/weblog?webl···76771047

Btw, unregistering shimgvw.dll is nice, but not very effective if you use another imageviewer. I unregistered the dll file and then used Irfanview to view graphic files --> successful exploitation.

Contrary to popular belief shimgvw.dll is not the vulnerable file.
--
Not speaking for Kaspersky Lab
========================

jbob Premium 2004-04-26 Loc:Little Rock, AR ·Comcast edit: Thursday December 29th, @01:55PM

reply to Schouw This is simply amazing. Does anyone really know wtf is going on? lol Do we still know this is a Iframe exploit? If it's not the noted .dll then what is being exploited? Earlier tests showed that it didn't work when the user had less than admin privileges and now Kapersky says not so. Then unregistering the .dll will be a temp fix but now that looks not to be so. Could this exploit be mutating? Was just pointed to this: »www.kb.cert.org/vuls/id/181038 snipped..... Current public exploits use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL). I have read that it was covered but could someone test this while running BOClean to see if it indeed catches it? One of these days I'm gonna have to try out one of those VMs I keep reading about. After all this discussion about this being an IFRAME exploit I am wondering......I have seen it suggested elsewhere but would it mitigate things to just go to IE Security Settings and disable the IFRAME support under "Launching programs and files in an IFRAME?" Could it be that simple? I know how IE is so imnbedded into the OS that even though a different browser is being used parts of IE are still being accessed to facilitate internet activity. Sometimes it is hard to know where IE ends and the OS begins. Just fishing I guess. Can any MS gurus out there confirm or deny this?

=========

KyeU Member 2003-12-31 Loc:Canada ·Rogers Hi-Speed edit: Thursday December 29th, @11:09PM

reply to RedXII1234 Thanks to JJoeBugg, I've discovered that I've forgotten that Proxomitron does not filter .WMF files by default. A separate filter had to be made to be able to filter all file extensions. Web Page filter: [Patterns] Name = "Kill Infected .WMF Files [Kye-U]" Active = TRUE URL = "$TYPE(oth)" Limit = 5 Match = "[%01][%00][%09][%00][%00]" Replace = "\k$ALERT(Infected .WMF File Killed on:\n\n\u)" You must also import this Header filter to filter all file extensions: [HTTP headers] In = FALSE Out = TRUE Key = "URL: All File Extensions Force Filter (Out)" URL = "*.*" Replace = "$FILTER(true)"

========

dantz Member 2005-05-09 Loc:Honolulu, HI

reply to RedXII1234 Here we have a dangerous exploit spreading rapidly with no patch in sight and nobody has even mentioned the most reliable fallback defense you can construct: an image! Image your drive BEFORE you get clobbered and your recovery will be much, much faster, not to mention easier and more complete

norwegian Member 2005-02-15

reply to RedXII1234 I was just at the Kaspersky forum, and noted Smokey linked to a reg fix, that helped fix turning off Windows Picture Viewer, »forum.kaspersky.com/index.php?showtopic=7862 and it linked to the reg fix »lists.grok.org.uk/pipermail/full···699.html thanks fellas for a fix, hope it helps a few here

SUMware Premium 2002-05-21 edit: Friday December 30th, @01:11AM	Can you tell the filter to match/accept on legitimate wmf valid 5 bytes, then reject everything else? Rather than trying to match/reject on combinations of bad bytes that could vary. Such as allow this only: Match = "[%D7][%CD][%C6][%9A][%00]" So that all else is dumped. Or isn't it that simple?
	to forum · » · · 2005-12-30 01:07:32 · · Print
KyeU Member 2003-12-31 Loc:Canada ·Rogers Hi-Speed edit: Friday December 30th, @01:29AM	The problem is that it can still come through as a JPEG or GIF file, and the filter you're proposing needs a URL match of "*.wmf" to work to your expectations. The filter would look more like: URL Match = "$TYPE(oth)*.wmf" Match = "(~[%D7][%CD][%C6][%9A][%00])" ==>js note ~ tilde sb control, prevented by blogger! Replace = "\k$ALERT(Invalid .WMF File)" You'd need to create multiple filters for GIF, JP(E|)G, PNG, etc. But I see your point I guess it would work just fine Actually, it seems like a pretty good idea EDIT: It is a really good idea. A whitelist is better than a black list. I will work on a filter.
	to forum · » · · 2005-12-30 01:15:07

===/M$hithead co sez:
/
/
/
/
/
/
/


...../.... hot air straight from the biggest black hole in this galaxy, aside from? W

III. Solution

Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.

Workarounds

Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.

Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.

Advisory here.
/////