"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf
Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:
C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
C:\WINDOWS\system32\CatRoot2\tmp.edb
I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:
http://www.grc.com/sn/notes-020.htm
Thanks.
--
Regards
What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still infected.
http://www.ewido.net/en/
The following is copied and pasted from the MS virus newsgroups courtesy of
David Lipman.
AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
--
Mike Pawlak
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
"MAP" <mikepaw...@OVEhotmail.com> wrote in message
news:%23SJS1jt...@TK2MSFTNGP12.phx.gbl...
Thanks for your response. I use AVG with most recent def update and
a-squared updated with detection
for the WMF exploit, scans of both for my entire system show no infection. I
think the initial core malware file was not entirely downloaded and cleaning
the cache and the quick disconnect saved me :)
--
Regards
I strongly urge you to replace your AV program!
Use NOD32 or Kaspersky, any decent av software would have stopped the
download as it was happening and give you a warning to terminate it, thus
preventing an infection in the first place.
--
Mike Pawlak
|
| Thanks for your response. I use AVG with most recent def update and
| a-squared updated with detection
| for the WMF exploit, scans of both for my entire system show no infection. I
| think the initial core malware file was not entirely downloaded and cleaning
| the cache and the quick disconnect saved me :)
|
It has been determined that a variant of the Exploit-WMF is causing the installation of a
variant of the Backdoor.Haxdoor Trojan which uses RootKit technology.
Download HiJack This! (HJT).
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Create a HJT Log file and Copy the section (an ONLY that section) that is labeled "O23 -
Service:" and paste all the lines starting "O23 - Service:" in your reply.
AV-Test, which tests anti-malware products, has been tracking the situation
closely and has, so far, analyzed 73 variants of malicious WMF files.
Products from the following companies have identified all 73:
a.. Alwil Software (Avast)
b.. Softwin (BitDefender)
c.. ClamAV
d.. F-Secure Inc.
e.. Fortinet Inc.
f.. McAfee Inc.
g.. ESET (Nod32)
h.. Panda Software
i.. Sophos Plc
j.. Symantec Corp.
k.. Trend Micro Inc.
l.. VirusBuster
These products detected fewer variants:
a.. 62 - eTrust-VET
b.. 62 - QuickHeal
c.. 61 - AntiVir
d.. 61 - Dr Web
e.. 61 - Kaspersky
f.. 60 - AVG
g.. 19 - Command
h.. 19 - F-Prot
i.. 11 - Ewido
j.. 7 - eSafe
k.. 7 - eTrust-INO
l.. 6 - Ikarus
m.. 6 - VBA32
n.. 0 - Norman
The difference for the more effective products is likely to be heuristic
detection, tracking the threat by identifying the basic techniques of the
exploit, rather than looking for specific patterns for specific exploits.
--
Regards,
Richard Urban
Microsoft MVP Windows Shell/User
Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
"MAP" <mikepaw...@OVEhotmail.com> wrote in message
news:%23SJS1jt...@TK2MSFTNGP12.phx.gbl...
--
Mike Pawlak
> From: "Jack" <nu...@null.com>
> It has been determined that a variant of the Exploit-WMF is causing
> the installation of a variant of the Backdoor.Haxdoor Trojan which
> uses RootKit technology.
Hi David, If you are familar with "process guard" I would like your opinion
on it.
http://www.diamondcs.com.au/processguard/
Thanks!
--
Mike Pawlak
|
| Hi David, If you are familar with "process guard" I would like your opinion
| on it.
| http://www.diamondcs.com.au/processguard/
|
| Thanks!
|
Sorry, I am not acquainted with this application :-(
Sorry to leave this un-trimmed, but there's nothing redundant!
Well, those who believe in throwing money at one "good" av product may
be in a YMMV situation, as Kaspersky (the usual fundi's favorite)
detects only one more malware than AVG (the freebie favorite). In
fact, the results are quite different to what one might have expected,
with Avast, ClamAV and VirusBuster (?) doing so well and Norman,
F-Prot, eSafe/eTrust and Kaspersky doing so badly.
It's also interesting to see F-Secure doing so much better than
Kaspersky and F-Prot, who are the two main engines it uses.
So this favors the "use multiple scanners" approach, as opposed to
"spend money on one good scanner" - except that the nature of this
threat really requires on-access protection, whereas "use multiple
scanners" is best done as one resident av backed by multiple on-demand
scanners (one of which would be the free BitDefender).
So far, defenses and resources have included:
1) An unofficial patch
This is code that injects into the at-risk process, to capture
attempts to access the defective code. One wonders if this will crash
into resident av products that try the same approach?
2) Un-registering a relevant .DLL
3) Deleting or renaming away a relevant .DLL
This is complicated by Windows File Protection in XP and WinME, though
the latter can be managed as per...
http://cquirke.mvps.org/9x/sr-sfp.htm
It certainly seems the best approach for Win95/98, for which no patch
is expected to be forthcoming from MS.
4) Testing the system to see if it is vulnerable
The vulnerability scanner is from the smae folks who came up with the
unofficial patch; sorry no URL to hand.
5) Killing the file association for .WMF files
This should work, but doesn't, because the OS is badly (unsafely)
designed to interpret WMF content as WMF even when it is found in
files that should not contain it, i.e. have file name extensions that
imply the file is some other type.
This applies not only where it might be inevitable, such as embedded
material within a Word document, but in stand-alone .JPG etc. as well.
This management also does not address risks from "services" that grope
material in the background, such as the indexing service.
There are two big "thou shalt not" lessons in there, but I fear MS
won't learn from them, and will continue creating even greater risks
from underfootware file groping and dangerous management of material
that is mis-represented at the file name extension level.
6) Using XP SP2 DEP with DEP-capable processor
This can often catch this sort of raw code exploit, if it blocks the
code on the basis that it is within what is supposed to be data.
Whether it will always block every possible exploit of this defect is
another matter; maybe, maybe not.
7) In av we trust
Well, eventually the av may catch this stuff reliably, and then it
becomes a matter of whether all possible material routes are
intercepted by the resident av. Could bring "email scanning" back
into fashion, for example, if material embedded within an email
"message" doesn't go through an opportunity to trigger a scan when the
graphic is created as a temp file.
8) Fiddling with user account permissions
May help a bit, but not even MS is claiming it's a reliable,
bullet-proof fix. It's down there with "don't browse dodgy sites" and
"don't open email from someone you don't know".
Well, no; it's far more rational and useful than "don't open email
from someone you don't know" - that really is a pretty useless
approach, given that malware usually arrives from someone you know **,
and by the time the embedded images are displayed in the (pre-)view,
you are sunk. Viewing email as plain text would be a better fix.
** Specifically, a PC that has your address stored on it
>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -
Thanx anyway.
--
Mike Pawlak
I like your post, but one small, but highly revevant item remains, their are
many
more threats out their than the wmf exploit so one should not choose their
av
software solely on this one item.
--
Mike Pawlak
Sure - in fact, the av shoudln't be the primary defense in such cases,
it's merely the goalie of last resort. On Win9x, I'd kill off the
relevant code engine; on XP SP2 I might use DEP as my primary
blockage, and behind these I'd use the two approved fixes, being
unregistering a .DLL and running the 3rd-party patch.
If the OS wasn't so badly designed, killing the .WMF association would
be all you'd have to do.
It has been stated by Robear Dyerm, quoting Microsoft, that DEP has no effectiveness with
the Exploit-WMF.
Thanks for this. I already had hijackthis installed and no new NT services
show up, I also downloaded sysinternals rootkit revealer and it showed no
discrepancies. Thanks all.
--
Regards
>It has been stated by Robear Dyerm, quoting Microsoft, that DEP has no
>effectiveness with the Exploit-WMF.
That's at variance with what I'd heard, which implied that software
DEP should not be expected to be effective. URL?
| On Mon, 2 Jan 2006 13:11:34 -0500, "David H. Lipman"
http://www.microsoft.com/technet/security/advisory/912840.mspx
Choose "Frequently Asked Questions"
Q: I have DEP enabled on my system, does this help mitigate the vulnerability?
A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.
>>> It has been stated by Robear Dyerm, quoting Microsoft, that DEP has no
>>> effectiveness with the Exploit-WMF.
>| That's at variance with what I'd heard, which implied that software
>| DEP should not be expected to be effective. URL?
>http://www.microsoft.com/technet/security/advisory/912840.mspx
>Q: I have DEP enabled on my system, does this help mitigate the vulnerability?
>
>A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
>work when enabled: please consult with your hardware manufacturer for more information on
>how to enable this and whether it can provide mitigation.
That's what I thought; hardware DEP is required to be any use, and if
that is present, it's expected to block at least the current crop of
attacks. What isn't clear is whether all possible methods of
exploiting the defect will always be blocked by hardware DEP.
>-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
>-------------------- ----- ---- --- -- - - - -
http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe
The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.
MSI repackages can be downloaded here:
http://accentconsulting.com/wmf.shtml
by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
The WMF vulnerability checker can be downloaded from the following
URLs:
http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
http://www.antisource.com/download/wmf_checker_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe
The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.
Note that the fix is not applicable to Win 9X/ME
Art