Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
MEMBERS BEWARE: Devastating virus threat (Patched)
[Update Jan/5] Microsoft has now addressed the issue, and a patch can be downloaded from this security bulletin.
Hi,
This is a warning to all forum members. There is a devastating virus out there that relies on a fundemental design flaw in Windows to potentially
take total control of your system. This issue affects ANY version of Windows as of 3.0 Folks this is the worst one yet...because you can be infected
simply by interacting with an infected image file! Beware of any suspicious emails containing attachment files with this extension: .wmf Do not
browse low security websites that may contain such infected images. Reports speak of mallicious .wmf files posing as JPEG files and files of other
extensions.
Take these measures as fast as you can:
-Stop using Internet Explorer NOW!
-Follow the steps in this Microsoft Advisory (Patched Jan/5)
-Use the latest FireFox and set it to block 3rd party images.
-Better still surf on your Apple Mac if you have one, since they are immune.
-Get some virus protection software running
-If you use Google Desktop search uninstall it now
-Avoid Goolge image search at all if you can.
More on this soon...
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
More info on the Windows Meta File format:
http://en.wikipedia.org/wiki/Windows_Metafile
BTW this should not be confused with the Windows Media Format
I'll be covering this as much as I can in a Monday.
-SidiM
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Here's what the CERT has to say:
http://www.kb.cert.org/vuls/id/181038
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
And here's a FAQ list on the issue: from the Internet Storm Center
This FAQ list mentions an unofficial patch to protect your system from the WMF exploit. They seem to recommend it, but I did
not try it. If you decide to do so, proceed at your own discretion.
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Here's a video of the infection taking place:
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv
I hope none of you find this scene familiar...
|
|
|
Jameel
Oud Junkie
Posts: 1672
Registered: 12-5-2002
Member Is Offline
Mood: No Mood
|
|
Thanks for the info, Sidi. Good to know you're watching out for us!
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Thanks Jameel,
I just can't stand by and watch my favourite spot on the net get ravaged by viruses. I've seen a lot of threats go by and I've never warned people
about them here. I was sure they wouldn't cause major problems...but this one is different. Again, all you need to do to get infected is browse or
open, even click on a mallicious .wmf file in Windows. The worst part here is Microsoft as usual. They are way too far behind in coming up with a
patch. And by the time they get there, who knows how far this would spread.
I have managed to secure myself a bit. But the solution I use could be too technical for the average user, and remains experimental at this stage.
Still, if I get enough feedback, I'd be glad to document it today.
-SidiM
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Alright we're starting to have some vision on this. Here's a fresh article on the situation: Larry Seltzer* from eWeek
*his name reminds me of Alka Seltzer 
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Official Patch coming Jan10:
"Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested
to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly
release of security bulletins. This release is predicated on successful completion of quality testing."
In addition:
"...anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through
up-to-date signatures...customers are encouraged to keep their anti-virus software up-to-date."
I'll keep tracking this for everyone and hope for the best.
-SidiM
|
|
|
Alan
Oud Junkie
Posts: 118
Registered: 9-30-2003
Location: Tampa Bay Florida
Member Is Offline
Mood: Mellow Yellow
|
|
It's for real. I got a trojan horse downloader called Spyaxe. Nasty one for sure. Took me 2 days to get rid of it. All antivirus and spyware
removals don't work. When you reboot it loads back on and downloads more crap on your computer. Asks you to buy it's removal programs that don't
work. Thank goodness my computer savy son was able to identify the files and remove them.
|
|
|
SamirCanada
Moderator
Posts: 3404
Registered: 6-4-2004
Member Is Offline
|
|
I got it too.. and I took me around the same time to get rid of it. Good job to your son it wasnt a easy one to get rid of especialy since its
installed in your resgistry and you have to turn off system restore in order to make shure it doesnt come back.
|
|
|
Sidi
Oud Maniac
Posts: 94
Registered: 2-6-2004
Member Is Offline
Mood: Very Sad...
|
|
Thanks Alan and Samir,
There was so little feedback on this, I got worried about my notification approach. Your posts help people see how nasty this is. Microsoft even
went against its way this time and provided an early patch. I encourage everyone concerned to install it as soon as possible. I would still advise
caution when you deal with .wmf files in the future. This patch may plug certain holes, but not all of them.
|
|
|
![[*]](images/xmbprobrown/default_icon.gif){kind=icon}
