LandzDown Forum

There are reports of active exploitation of a new vulnerability related to image rendering in Windows XP.  The Windows Picture and Fax Viewer is used to view Windows Meta Files (WMF) and is reported as being vulnerable.  Note that this is the default viewer used by Internet Explorer and some versions of Firefox for WMF files.

Current reports state that the attack vector being used is embedded malicious images on web pages hosted at unionseek[DOT]com.  This vulnerability could equally be exploited through the delivery of a malicious email.

There is additional information available at the following URL's:
http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.f-secure.com/weblog/#00000752

Exploit code is publicly available. This is being exploited in the wild.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.


There is no patch currently available to repair this vulnerability.
In the interim consider the following mitigation:

 - block access to the unionseek[DOT]com domain
 - block WMF files in your HTTP and SMTP content checkers
 - ensure anti-virus software is fully updated

Workaround posted by Sunbelt:

Wednesday, December 28, 2005
Workarounds for the WMF exploit

For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds:

1. Unregister SHIMGVW.DLL.

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.  A reboot is recommended.  (It works post reboot as well.  It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE.

However, it is not the most elegant fix.  You’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply do REGSVR32 SHIMGVW.DLL to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help.

Works for IE, should work fine for Firefox users as well.

2. Change file associations for WMF files.

An equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  Ugly, but it is a fix.

3. Run IESPYAD.

IESpyad is a free tool that puts block lists into IE’s restricted sites zone.  It’s managed by Eric Howes, who works as a consultant for Sunbelt.  We regularly update him with the latest URLs.  Click here. Gravatar

(Note that Eric is currently out of town so I’m not sure it’s being updated as frequently.) 

Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)

http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html

Harry Waldron's Blog has a nice set of instructions:

Current recommendations for Malicious WMF Exploits in-the-wild

1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible.  For example, McAfee users should install DAT 4661 or higher immediately
2. Stay away from all questionable websites.  Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems in the corporate environment.
4. Don't rely just on the WMF extension.  Windows metadata processing can process a disguised and renamed extension.  For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.
5. As an extra safety precaution, you can turn off the vulnerable DLL.   The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off.  Another option might be to turn off the shimgvw.dll service completely.  Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected.  Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.

This is how I removed this crap. The method is probably different from case to case, depending on what the downloader is fetching.

So I will keep strictly to how I did:

Tools needed:
Ewido malware-remover  http://www.ewido.net/en/download/
datFind.bat :  http://virus-protect.net/bat/datFind.bat
Blacklight Beta by F-Secure: http://www.f-secure.com/blacklight/help/
HiJackThis : http://www.thespykiller.co.uk/files/HJTsetup.exe
Taskmanager (Ctrl+Alt+Del)

In my case it installed "UnSpy", which sent up a baloon in the taskbar.It could just as well look like this: http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
Start by going to the control panel applet and uninstall whatever strange "antispyware" that is present.

Then HiJack This showed those details, fix them:
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A7A9D9-4795-4D70-B1FD-83183E8A934A}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CE88FF2-E304-47EE-B024-D4E0F2170FB3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{73486B9A-079D-480E-95D2-0B27292DD2EB}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS1\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 

Reboot into safe mode and remove the UnSpy Folder.
If  it´s like in my case, Explorer will act awkwardly. You have to use the taskmanager to terminate and start Explorer, many times when it stops responding

Run Ewido, still in safe mode.

Reboot normally.

Run datFind.bat
It will  sort newly installed/changed files by date, in "System" , "System32" ,"Windows\Temp" and the "Windows" folder. 
Open the "datFind.bat" and it will sort the files by date, in the different folders.To create them, collapse the open log and click any key and a new log is created. Copy the recent month/2 months of each log into the thread.
Look for suspicious files installed simultaniously, the user should have a rather good opinion of when he was hit by this crap.
The logs are by default stored directly under C:\
Navigate to the suspicious files seen in the logs and remoove them. All of them wont however be found.

Run Blacklight and reboot. Run Ewido again.

If  datFind.bat is run now, there should be files in the system32-log that aren´t visible

therefore....

Run Blacklight and this time use the option "Rename" of the files it finds, reboot. For simplicity, write down all filenames before it renames and reboots. If this isn´t done, a search can be done for files with the extension ".exe.ren" after Blacklight is run.

Open Explorer and navigate to the system32- folder and remove the remaining files of the infection, all with file-extendions ".exe.ren"

On thing is still to be made. A registry-key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
will have a value of  , in my case , csajj.exe (this is one of the files that had to be renamed by Blacklight)

This is how I did to remove the infection installed by the WMF Exploit , which opened the viewer for fax.
Another strange thing that occured while it was installing, was that AVG flagged WISPIS.EXE as infected. I believe that is the program that handles the mouse. I never realized if it was healed or not, but it still works flawlessly.

Die Hard

Here is the latest info on this from the Internet Storm Center.

This one is the updates thread that changes as new information is released or more exploits are released.
http://isc.sans.org/diary.php?n&storyid=992

This one is an overview of the situation.
http://isc.sans.org/diary.php?n&storyid=993

This one is the WMF FAQ
http://isc.sans.org/diary.php?n&storyid=994

This is the latest from this morning
"2nd generation WMF 0day Expliot Spammed"
http://isc.sans.org/diary.php?n&storyid=995

The strongest recommendations from around the net are to install Ilfak's Temporary WMF Patch until Microsoft issues a patch.  Ilfak's temp can then be removed via Add/Remove Programs.

http://www.grc.com/sn/notes-020.htm

UNIRAS (UK Government Briefing) 1/06, released 19:31 UTC January 1st:

A new exploit has been released for the Windows WMF vulnerability.  The exploit
is embedded in image files with a .jpg extension and which are designed to make
detection with IDS more difficult.  At the time of release this exploit was not
detectable by anti-virus software although signatures are now being released.

There are further reports that this exploit has been used to construct
malicious emails that have been spammed out.  F-Secure have given the following
details for this email:

  Subject:    Happy New Year
  Body:       "picture of 2006"
  Attachment: HappyNewYear.jpg (MD5: DBB27F839C8491E57EBCC9445BABB755)
 
When the HappyNewYear.jpg is accessed (i.e. the file is opened, a folder containing
the file is viewed, or the file is indexed by, for example, Google Desktop), it
executes and downloads a Bifrose variant from www[dot]ritztours.com.

Full briefing at http://www.uniras.gov.uk/niscc/docs/br-20060101-00001.html?lang=en

The latest information --

If your computer is Windows 2000, Windows XP, (SP1 and SP2), Windows 2003 (NOT Win98 or ME) it is extremely vulnerable. After applying the temporary fix by Ilfax, you can check your system to ensure it is protected with the vulnerability checker.  Further discussion on this top;ic is available in the SunbeltBlog http://sunbeltblog.blogspot.com/2006/01/wmf-vulnerability-checker.html

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more