*** ALL USES OF WINDOWS, PLEASE READ BELOW. ***
There is a very major security problem with Windows, all variants back to Windows 98.
All systems are at risk. Many are already infected. There are few options for an effective defense.
See our web page on this issue:
http://www.softprose.com/information...irus/wmf.shtml
Greetings,
This is an urgent advisory of a real-life threat to all Windows computers.
The Windows Metafile Format (*.WMF) image format, developed by Microsoft, has been shown to have a critical flaw that allows ALL VARIANTS of Windows computers after and including Windows 98 to be taken over by criminals SIMPLY BY VIEWING images on a web page or images contained in Email- Including preview.
The WMF vulnerability is not a virus in itself- it is, instead, known as an "Exploit", or a pathway that a Virus (or spyware, or any number of malware variants) can use to be inserted into a computer. Unfortunately, the bad guys found this hole before the "white hats" got involved, so this problem is already showing up on user's computers.
This is a SEVERE problem, that is already being exploited for commercial and criminal gain. The spyware program "Winhound" is the most common, and prominent, example using this security hole, but many other programs have been found that are taking advantage of it. Many of these programs use stealth techniques to hide on your PC, and record keystrokes, logins, credit card, and all sorts of other information of interest to criminal enterprises.
Other commercial programs using this security hole include Winfixer and AVGold. There will probably be many more…
Although Winhound is a very busy, obvious, and obnoxious infestation, it is not the worst- the worst infestation is that which you do not know about. There is no defense currently available for this problem, and fully-patched systems are being infected. No current antivirus software is defending against this threat. As there is a direct financial incentive, the number and variety of softwares using this security flaw are expanding exponentially in number.
This has the capacity of being the single greatest security threat ever discovered. The number of machines that are vulnerable include every single Windows computer in the world. There is currently no organized defense. The number and variety of attacks are quite large, and they are not being addressed at this time by security products.
The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files will execute just fine if they are called *.gif, *.jpg, *.bmp, and other names! ANY GRAPHIC FILE can conceal the infection.
IF YOU ARE INFECTED, the standard solutions may apply:
SpyBot Search & Destroy, in the current version 1.4, has been somewhat effective against WinHound.
See:
www.safer-networking.org/
AdAware and Microsoft AntiSpyware are both possible resources for an infection, although they have not been particularly strong against the versions of WinHound that we have encountered.
For AdAware, see:
http://www.lavasoftusa.com/
For Microsoft AntiSpyware, see:
http://www.microsoft.com/athome/secu...e/default.mspx
Insuring that your AntiVirus is current and up to date is quite critical, along with running periodic Scans. These scans are optional. Users may wish to run manual scans of their system, after updating their antivirus. Note that currently NO anti-virus program is offering a full defense. The partial defenses that they can offer are being built on an hourly basis.
Please note: The worst infestations are those you do not know about. It is entirely possible for your machine to become a "zombie" client of some Eastern European or Asian organized crime gang without you knowing anything about it. The days of clumsy amateur software are OVER in this business- This is professional, international, and closely focused on an increasingly valuable bottom line. There is big money in Cybercrime; please be careful.
A "key logger" program on your computer can record all credit card numbers, all passwords, all login data. This is an increasingly common security threat for individuals or organizations of any size.
THE ONLY CURRENT "FIX" is to disable the primary vector for Windows Metafile Format (WMF) support.
The below "FIX" will only work on:
Windows XP Service Pack 1; Windows XP Service Pack 2;
Windows Server 2003; and Windows Server 2003 Service Pack 1
It does not appear to be currently possible to disable all variants of WMF support. However, the primary software tool used by Windows XP and 2003 Server for working with WMF files are the core software libraries for the "Windows Picture and Fax Viewer", which can be disabled. This should have the effect of making it impossible for your computer to view WMF files. However, this change may have UNEXPECTED problems with other software. However, it is the only practical defense at this point in time, and is STRONGLY recommended.
The below fix involves serious changes. Be aware that this removes the primary means of support for WMF files, which may cause some graphics programs to either not run or demonstrate eccentric behavior. But we really suggest you do this, as described below.
Note that Maintenance clients of SoftProse Technology, Inc. have had this code added to their login routine in two batch files, wmf_off.bat (and wmf_on.bat). There may be confirmation dialogs for these changes. Copies of these batch files are available from our WMF Vulnerability page at
http://www.softprose.com/information...irus/wmf.shtml.
Below was originally suggested by MICROSOFT, who now seems to be formulating a different response.
(SEE:
http://www.kb.cert.org/vuls/id/181038)
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
What if I have Windows 2000, or Windows 9X or ME?
What if you cannot disable WMF support?
What can you do to defend yourself?
Below are Four Suggestions:
1) Don't use Internet Explorer for surfing the Internet. Internet Explorer has been broken for years; there is and has been no security from your computer being taken over. Instead of IE, download and install the latest version of FireFox, currently at Version 1.5:
http://www.mozilla.com/firefox/
Set FireFox to be your default browser. You have to either answer a confirmation dialog or download the image to be infected with FireFox. (Internet Explorer users have NO defense.)
Note that FireFox will not fully protect you- BUT users will have to click a confirmation dialog or accept a download before they can become infected! DON'T ACCEPT ANY CONFIRMATION DIALOG OR DOWNLOAD ANYTHING unless you know EXACTLY what you are accepting into your computer!
2) Remove all "toolbars" from your computer- Google, Yahoo, etc. Also remove all third-party "Search" tools.
This advice may be a little draconian, but we stand by it. (We never liked toolbars, anyway.) This is a real issue, as the Google toolbar in particular will INDEX ALL WMF files on your computer automatically- and this process will EXECUTE the code contained in these WMF files! So if you have Google Toolbar installed, and your Email downloads one of these pictures, it may execute EVEN IF YOU DON'T LOOK AT IT, thanks to the Google indexing process. We are not sure what all the other toolbars do that may be similar- but do you really need them? Don't take the chance.
3) Email places us all at risk. This is a major challenge for all Email users. The extent and nature of the infection process is still not fully understood, and any advice here will probably need the assistance of an update to the programs involved.
FOR ALL EMAIL USERS:
Be especially aggressive in deleting Emails from strangers.
DON'T OPEN ANYTHING if you don't know where it is from. JUST KILL IT. Suppress your natural curiosity.
For Outlook Users:
View Menu>Preview Pane - Turn it OFF.
Consider switching to the free version of Eudora, which has better controls over graphics.
http://www.eudora.com/
For Eudora Users:
Go to Tools>Options>Display.
Remove the checks on:
Automatically download HTML graphics
Display graphics in messages
4) Set your machine to receive Windows Updates automatically.
In a world where attacks can occur in hours, the Microsoft automatic update function "Windows Update" has become increasingly important to protecting your computer. Most computers managed by SoftProse Technology, Inc. are set to automatically download and install updates from Microsoft. If you have not configured your machine this way yet, please consider this as an important defense in an increasingly dangerous Internet-enabled world.
Note that the new Microsoft Update offers more features (Office software updates are included), but requires that Microsoft "certify" that your installation of Windows is "genuine" and not a bootleg copy. For most users, this should be a simple test to pass successfully. If for whatever reason your machine fails this test, please consider re-installing or upgrading to a legal copy of Windows. Be aware that Microsoft makes Microsoft Update an optional feature today, but soon may make it a requirement.
See:
http://update.microsoft.com/microsoftupdate
(Requires Internet Explorer)
(NOTE: Like Linux, you can also create a limited login on your PC that will deny the ability to install software or to write files to system folders. (In Windows XP, this is actually called a "Limited Account".) Using the PC with a restriction such as this should stop most "malware" from installing itself and taking over your computer. A Windows computer can have more than one login. A separate Administrator login would have full rights but would only be used for PC maintenance. Most users would dislike this system intensely, but we are slowly getting used to this as a standard method for using, and defending, Windows computers. This is not a total defense- But may help in some scenarios, such as with this problem.)
For more info on this WMF vulnerability:
http://www.kb.cert.org/vuls/id/181038
http://www.microsoft.com/technet/sec...ry/912840.mspx
http://www.f-secure.com/weblog/archi....html#00000753
http://searchsecurity.techtarget.com...154914,00.html
http://blogs.zdnet.com/Spyware/index.php?p=734
Linear Mode
