For those of you that use Windows...

[tarna]

http://antivirus.about.com/od/virusdescrip...mfexploit_4.htm

 

January 1, 2005

 

The WMF exploit is made possible because of a design flaw. In other words, according to F-Secure, it's not a bug, it's a feature. And F-Secure says this design mistake may have been around since the days of Windows 3.0. As SANS says, "the Microsoft WMF vulnerability is bad. It is very, very bad." Here are five other facts about the WMF flaw that is leaving all of us Windows users very, very vulnerable.

 

Fact #1: You do not have to open the image file to be affected.. If you browse to a folder it's in, view a website it's on, receive it in email, click a link pointing to an exploited image in IM or email, select it with your mouse or keyboard, or if you use Google Desktop, the exploit will render.

 

Fact #2: This is not a browser problem. Using Firefox or Opera isn't going to help. This exploit is made possible because of a design flaw in the Windows operating system. The rendering of the exploit happens within Windows (gdi32.dll to be exact, and not from within and not because of the browser). As seen in Fact #1 above, you can also encounter an exploited image file in a variety of ways, not just by web surfing.

 

Fact #3: The .WMF extension is immaterial. Just because the image has a different extension, doesn't mean it's not a WMF file containing the exploit. The most recent version spotted in email was disguised as HappyNewYear.JPG. This wasn't some double extension ruse either. Windows doesn't care what extension the image file has, it will still recognize that it's a WMF file and the handling for it will be the same - thus the exploit will render.

 

Fact #4: The exploit is not restricted to Windows Fax and Picture Viewer. The vulnerable DLL is actually GDI32.DLL. The previously implicated SHIMGVW.DLL is guilty, but apparently only because it calls GDI32.DLL. However, you can not unregister GDI32.DLL - not if you want your system to function, that is. A patch for GDI32.DLL was created by IDA Pro genius Ilfak Guilfanov and it's backed up by SANS. You can read more about Iflak's patch, and how to download it, here.

 

Fact #5: The exploit impacts nearly all Windows users. Affected versions include: all versions of Windows XP (SP1 and SP2, Pro and Home, 32-bit and 64-bit), Windows Server 2003 (including SP1, 32-bit and 64-bit, and Itantium-based versions), Microsoft Windows 2000 Service Pack 4, as well as Windows 98 (including SE), and Windows ME. In short, if you use Windows, odds are you are one of the 'hundreds of millions' sitting ducks to this exploit.

There is a patch that seems to be effective but the site is down right now. I'll keep checking and post a link here after I've looked into it further. Just got the info today so I'm still trying to get accurate information.

[kirottu]

This piece of information actually found it

[Diamond]

Not as dangerous as previous bug that Microsoft GDI+ had with JPEG implementation.

[BattleCookiee]

The quick-fix can be found here

[Kaftan Barlast]

But what does this exploit do really? Noone actualy says what it does except that it may download trojans to your computer

[Surreptishus]

A new strain of virus has appeared which means that a specially designed Windows Metafile (wmf) could be used to gain access to a machine and take control. The situation is worsened by the fact that source code for the exploit has been published on the Internet and that the virus changes itself when it replicates, making it harder for it to be detected by traditional signature-based security software.

 

Oh and Microsoft will have a patch on the 10th.

Edited January 4, 2006 by Surreptishus

[LadyCrimson]

But what does this exploit do really? Noone actualy says what it does except that it may download trojans to your computer

 

Ahhh..glad I'm not the only one scratching my head about that.

The article is a year old, too, which seems odd if it's just getting around as common 'news' now...?

 

Edit - ahh...I looked again...maybe that site just forgot it was a new year...

Edited January 4, 2006 by LadyCrimson

[Diamond]

Viewing a specially crafted WMF file causes buffer overflow and allows to execute any code on compromised system.

So any exploit using that vunerability can potentially do many things to your computer.

[LadyCrimson]

Reformat is always my answer.

 

<snippage>

 

Edit - nvm, I asked a techie friend...got my answers...

Edited January 4, 2006 by LadyCrimson

[Blank]

There is a patch that seems to be effective but the site is down right now. I'll keep checking and post a link here after I've looked into it further. Just got the info today so I'm still trying to get accurate information.

<{POST_SNAPBACK}>

hmm, thanks. i downloaded the fix. but like the others, i never had any particular problems before for any unexplained reasons.oh well...

[BattleCookiee]

Basically anything can be installed.

 

But currently there have been many reports that it is being used to install KEYLOGGERS.

 

Which are nasty buggers because they log every keystrike you make, allowing for an easy construction of any password you type on your PC...

Edited January 4, 2006 by Battlewookiee

[Blank]

Basically anything can be installed.

 

But currently there have been many reports that it is being used to install KEYLOGGERS.

 

Which are nasty buggers because they log every keystrike you make, allowing for an easy construction of any password you type on your PC...

<{POST_SNAPBACK}>

Thanks very much then. and in that case it was a good idea to put this as a sticky

[tarna]

To those of you that asked what this bug can do, it opens a door to your system, puts it's foot in it and then invites it's friends to party at your place.

This is one of the known party crashers...

 

Trojan.Satiloler.B

Trojan.Satiloler.B is a Trojan horse that attempts to steal user names, passwords, and other information from the compromised computer. It also attempts to open a proxy server on a random TCP port.

 

It has been reported that the Trojan is downloaded by malformed WMF files that utilize the Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability (as described in BID 16074).

 

Type:  Trojan Horse

Infection Length:  39,424 bytes 

 

Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

 

When Trojan.Satiloler.B is executed, it performs the following actions:

 

 

Creates a mutex named "_Toolbar_Class_32" so that only one instance of the Trojan is executed on the compromised computer.

 

 

Copies %System%\userinit.exe, which is a valid system file, as the following file and then deletes it:

 

%Windir%\system\userinit.exe

 

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

 

 

Copies itself as:

 

 

%System%\userinit.exe

%ProgramFiles%\Common Files\system\lsass.exe

 

Note:

%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

 

 

Creates the following files:

 

 

%System%\xvid.dll

%System%\xvid.ini

%System%\divx.ini

 

 

Adds the value:

 

"system" = "%ProgramFiles%\Common Files\system\lsass.exe"

 

to the registry subkey:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

so that it runs every time Windows starts.

 

 

Modifies the values:

 

"SFCDisable" = "FFFFFF9D"

"SFCScan" = "0"

 

in the registry subkey:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

to disable Windows File Protection.

 

 

Adds the value:

 

"System" = ""

 

to the registry subkey:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

 

Modifies the original %System%\sfc_os.dll or sfc.dll file and its backup in %Windir%\dllcache in order to disable System File Protection.

 

 

Attempts to close windows that have the following titles:

 

 

Create rule for %s

Un processus cache requiert une connexion reseau.

Ne plus afficher cette invite

Un proceso oculto solicita acceso a la red

Aceptar

Warning: Components Have Changed

&Make changed component shared

Hidden Process Requests Network Access

Ein versteckter Prozess verlangt Netzwerkzugriff.

PermissionDlg

&Remember this answer the next time I use this program.

&Yes

Windows Security Alert

Allow all activities for this application

 

 

Attempts to end the following processes:

 

 

WINLDRA.EXE

NETSCAPE.EXE

OPERA.EXE

FIREFOX.EXE

MOZILLA.EXE

M00.EXE

WINTBPX.EXE

SWCHOST.EXE

SVOHOST.EXE

SVC.EXE

WINSOCK.EXE

SPOOLS.EXE

 

 

Attempts to disable the following programs:

 

 

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

 

 

Steals the following information and saves it to %System%\desktops.ini:

 

 

POP3 Username

Password for Internet Explorer AutoComplete

TheBat passwords

e-gold account information

 

 

Searches for the following strings in the Web browser:

 

 

postbank.de

deutsche-bank.de

diba.de

1822direkt.com

.haspa.de

.sparkasse-

mbs-potsdam.de

.homebanking-

.bankingportal.

dresdner-privat.de

.gad.de

citibank.de

.portal-banking.de

vr-ebanking.de

vr-networld-ebanking.de

cc-bank.de

commerzbanking.de

lacaixa.es

axabanque.fr/client/sauthentification

cahoot

egg

if.com

smile

first

nation

abbey

natwest

citi

barclay

allianc

bank

hsbc

lloyd

nwolb

online

hali

npbs

marbles

trade

rbs.

lacaixa.es

pin2

viabcp.com

pin

Payee_Account

bancaonline.

CLAVES

ebankinter.com

 

 

Logs the following Web activity to %System%\divx.ini:

 

 

URLs visited

Radio button and checkbox status

Keystrokes

 

 

Opens a proxy server on a random TCP port.

 

 

Posts the collected log files to [http://]fiv.bestswf.com/[REMOVED]/log.php.

 

 

Sends a HTTP request to [http://]fiv.bestswf.com/[REMOVED]/cmd.php with the following data gathered from the compromised computer and saves the response to %System%\xvid.ini:

 

 

Username

Geographical location

Opened port number

A little wordy and technical but even the least of geeks can see that it gets into places and looks for stuff where it doesn't belong.

Those of you that use Norton, there is already an Update for it that I've loaded and tested. Update and then use the link BW provided to test your firewall.

[Child of Flame]

So what you're saying is I should update my subscription to Norton or stop looking up so much porn for a little while?

[Surreptishus]

Patch available now via Windows Update

[Blank]

Patch available now via Windows Update

<{POST_SNAPBACK}>

via windows update, eh? can i get a link for that?

[tarna]

http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us

[Judge Hades]

If this was such an old weakness, since Windows 3.0 why are they just fixing it now?

[tarna]

From what I've read about this one, it's been known about on hacker's boards but Microshaft couldn't be bothered until now.

 

You have to wonder if they like the praise...

"Microsoft to the rescue from those horrible hackers."

[Magena]

I've thought for a while that MS leaves problems in their code... or maybe even creates them so that they have something to deal with in the next release.. and it gives them reasons for more releases.

[Diamond]

I've thought for a while that MS leaves problems in their code... or maybe even creates them so that they have something to deal with in the next release.. and it gives them reasons for more releases.

<{POST_SNAPBACK}>

They definitely do not do this intentionally, because maintenance is additional cost. No company will create costs for itself.

[tarna]

Un-stuck.

[Synaesthesia]

From what I've read about this one, it's been known about on hacker's boards but Microshaft couldn't be bothered until now.

 

You have to wonder is they like the praise...

"Microsoft to the rescue from those horrible hackers."

<{POST_SNAPBACK}>

 

Microshaft? Are we on Slashdot now?

[SteveThaiBinh]

They definitely do not do this intentionally, because maintenance is additional cost. No company will create costs for itself.

<{POST_SNAPBACK}>

Indeed, and that presumably includes the extra testers and engineers that would be needed to spot this kind of thing and fix it before the product was released.