Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Encountered WMF Vulnerability

Reply
Thread Tools

Encountered WMF Vulnerability

 
 
Jack
Guest
Posts: n/a
 
      01-01-2006
XPHome SP2, fully patched. Opened a picture link, it flashed up my download
manager trying to download the file eid6.wmf, which shut before I could
close it and flashed open the picture and fax viewer which I closed and
disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.


--
Regards



 
Reply With Quote
 
 
 
 
DC
Guest
Posts: n/a
 
      01-02-2006
Jack wrote:
> XPHome SP2, fully patched. Opened a picture link, it flashed up my download
> manager trying to download the file eid6.wmf, which shut before I could
> close it and flashed open the picture and fax viewer which I closed and
> disconnected from the internet. The following new process was running:


> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
> Files\Content.IE5\WTABCDEZ\eid6[1].wmf


> Closed it and cleaned the IE cache and rebooted and it didn't restart.
> Following files were created around this time and may or may not be related:


> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf


> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf


> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf


> C:\WINDOWS\system32\CatRoot2\tmp.edb


> I removed the prefetch files, the catroot2 file was in use and could not be
> moved and disappeared over a reboot. Then used SR to restore to a point
> prior. Doesn't seem as if there is any obvious residual, but does anyone
> know anything esle I should do or look for. I had not unregistered
> shimgvw.dll or applied Ilfak Guilfanov's temp patch:


> http://www.grc.com/sn/notes-020.htm


> Thanks.



Nice. I *just* finished getting my brother all patched up for this. I
sent him a copy of your post to show him I'm no Chicken Little. }:O)

As for what to do now, the best info I've found on this is here:
http://isc.sans.org/diary.php

Set your IE security to HIGH and watch that space[1], I guess.

Good luck.


[1] While you are waiting, try this:
http://opensource.region-stuttgart.d...ux_desktop.php

Way cool. }BO)

--
DC Linux RU #1000111011000111001

The word 'politics' is derived from the word 'poly', meaning 'many'
and the word 'ticks', meaning 'blood sucking parasites'.
 
Reply With Quote
 
 
 
 
C. DelPlato
Guest
Posts: n/a
 
      01-02-2006
DC wrote:

> Jack wrote:


>> XPHome SP2, fully patched. Opened a picture link,


From where?

>> it flashed up my
>> download manager trying to download the file eid6.wmf, which shut
>> before I could close it and flashed open the picture and fax viewer
>> which I closed and disconnected from the internet. The following new
>> process was running:

>
>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
>> C:\Documents and Settings\%username%\Local Settings\Temporary
>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf


I did sorta the same thing just for yucks, but I went to the webpages in the
links that were posted (that were supposedly downloading the exploit behind
my back) and nothing happened. No problems. Maybe because I had Irfanview
set as the default .wmf viewer already?

>> Closed it and cleaned the IE cache and rebooted and it didn't
>> restart. Following files were created around this time and may or
>> may not be related:

>
>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

>
>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

>
>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

>
>> C:\WINDOWS\system32\CatRoot2\tmp.edb

>
>> I removed the prefetch files, the catroot2 file was in use and could
>> not be moved and disappeared over a reboot. Then used SR to restore
>> to a point prior. Doesn't seem as if there is any obvious residual,
>> but does anyone know anything esle I should do or look for. I had
>> not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

>
>> http://www.grc.com/sn/notes-020.htm


Sheesh. Glad I never experienced anything like that.

>> Thanks.

>
>
> Nice. I *just* finished getting my brother all patched up for this.
> I sent him a copy of your post to show him I'm no Chicken Little.
> }:O)
>
> As for what to do now, the best info I've found on this is here:
> http://isc.sans.org/diary.php
>
> Set your IE security to HIGH and watch that space[1], I guess.


Mine is set to medium.

> Good luck.
>
>
> [1] While you are waiting, try this:
> http://opensource.region-stuttgart.d...ux_desktop.php
>
> Way cool. }BO)



 
Reply With Quote
 
Trax
Guest
Posts: n/a
 
      01-02-2006
"C. DelPlato" <C. http://www.velocityreviews.com/forums/(E-Mail Removed)> wrote:

|>DC wrote:
|>
|>> Jack wrote:
|>
|>>> XPHome SP2, fully patched. Opened a picture link,
|>
|>From where?
|>
|>>> it flashed up my
|>>> download manager trying to download the file eid6.wmf, which shut
|>>> before I could close it and flashed open the picture and fax viewer
|>>> which I closed and disconnected from the internet. The following new
|>>> process was running:
|>>
|>>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
|>>> C:\Documents and Settings\%username%\Local Settings\Temporary
|>>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf

|>I did sorta the same thing just for yucks, but I went to the webpages in the
|>links that were posted (that were supposedly downloading the exploit behind
|>my back) and nothing happened. No problems. Maybe because I had Irfanview
|>set as the default .wmf viewer already?

No, setting Irfanview as default will not prevent the WMF exploit, I
had thought so as well.

Open Irfanview and look at Options, Set file associations.
WMF isn't listed, windows windows fax and picture viewer is used
instead.

Just turn off the windows viewer...
http://www.annoyances.org/exec/show/article03-201
How many WMF's have you view'd in the past anyhow?

|>>> Closed it and cleaned the IE cache and rebooted and it didn't
|>>> restart. Following files were created around this time and may or
|>>> may not be related:
|>>
|>>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
|>>
|>>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
|>>
|>>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
|>>
|>>> C:\WINDOWS\system32\CatRoot2\tmp.edb
|>>
|>>> I removed the prefetch files, the catroot2 file was in use and could
|>>> not be moved and disappeared over a reboot. Then used SR to restore
|>>> to a point prior. Doesn't seem as if there is any obvious residual,
|>>> but does anyone know anything esle I should do or look for. I had
|>>> not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
|>>
|>>> http://www.grc.com/sn/notes-020.htm
|>
|>Sheesh. Glad I never experienced anything like that.
|>
|>>> Thanks.
|>>
|>>
|>> Nice. I *just* finished getting my brother all patched up for this.
|>> I sent him a copy of your post to show him I'm no Chicken Little.
|>> }:O)
|>>
|>> As for what to do now, the best info I've found on this is here:
|>> http://isc.sans.org/diary.php
|>>
|>> Set your IE security to HIGH and watch that space[1], I guess.
|>
|>Mine is set to medium.
|>
|>> Good luck.
|>>
|>>
|>> [1] While you are waiting, try this:
|>> http://opensource.region-stuttgart.d...ux_desktop.php
|>>
|>> Way cool. }BO)
|>


--
Time Wasting Sites on the Net
http://freebies.about.com/od/710/tp/timewasting.htm
 
Reply With Quote
 
DC
Guest
Posts: n/a
 
      01-02-2006
C. DelPlato wrote:
> DC wrote:


[...]

>> Set your IE security to HIGH and watch that space[1], I guess.


> Mine is set to medium.


Whoopie. Way to trim that post, by the way. New computer for
Christmas?

--
DC Linux RU #1000111011000111001

The word 'politics' is derived from the word 'poly', meaning 'many'
and the word 'ticks', meaning 'blood sucking parasites'.
 
Reply With Quote
 
C. DelPlato
Guest
Posts: n/a
 
      01-02-2006
Trax wrote:

> "C. DelPlato" <C. (E-Mail Removed)> wrote:
>
>>> DC wrote:
>>>
>>>> Jack wrote:
>>>
>>>>> XPHome SP2, fully patched. Opened a picture link,
>>>
>>> From where?
>>>
>>>>> it flashed up my
>>>>> download manager trying to download the file eid6.wmf, which shut
>>>>> before I could close it and flashed open the picture and fax
>>>>> viewer which I closed and disconnected from the internet. The
>>>>> following new process was running:
>>>>
>>>>> "rundll32.exe"
>>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en C:\Documents
>>>>> and Settings\%username%\Local Settings\Temporary Internet
>>>>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf

>
>>> I did sorta the same thing just for yucks, but I went to the
>>> webpages in the links that were posted (that were supposedly
>>> downloading the exploit behind my back) and nothing happened. No
>>> problems. Maybe because I had Irfanview set as the default .wmf
>>> viewer already?

>
> No, setting Irfanview as default will not prevent the WMF exploit, I
> had thought so as well.
>
> Open Irfanview and look at Options, Set file associations.
> WMF isn't listed, windows windows fax and picture viewer is used
> instead.


You better look again. .wmf is most certainly listed in Irfanview 3.9.7
(for WindowsXP)

<snip>



 
Reply With Quote
 
C. DelPlato
Guest
Posts: n/a
 
      01-02-2006
DC wrote:

> C. DelPlato wrote:
>> DC wrote:

>
> [...]
>
>>> Set your IE security to HIGH and watch that space[1], I guess.

>
>> Mine is set to medium.

>
> Whoopie. Way to trim that post, by the way. New computer for
> Christmas?


Did I trim anything you wished to reply to? If so, why not just restore it
and respond? What's the big deal?


 
Reply With Quote
 
Trax
Guest
Posts: n/a
 
      01-02-2006
"C. DelPlato" <C. (E-Mail Removed)> wrote:

|>Trax wrote:
|>
|>> "C. DelPlato" <C. (E-Mail Removed)> wrote:
|>>
|>>>> DC wrote:
|>>>>
|>>>>> Jack wrote:
|>>>>
|>>>>>> XPHome SP2, fully patched. Opened a picture link,
|>>>>
|>>>> From where?
|>>>>
|>>>>>> it flashed up my
|>>>>>> download manager trying to download the file eid6.wmf, which shut
|>>>>>> before I could close it and flashed open the picture and fax
|>>>>>> viewer which I closed and disconnected from the internet. The
|>>>>>> following new process was running:
|>>>>>
|>>>>>> "rundll32.exe"
|>>>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en C:\Documents
|>>>>>> and Settings\%username%\Local Settings\Temporary Internet
|>>>>>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
|>>
|>>>> I did sorta the same thing just for yucks, but I went to the
|>>>> webpages in the links that were posted (that were supposedly
|>>>> downloading the exploit behind my back) and nothing happened. No
|>>>> problems. Maybe because I had Irfanview set as the default .wmf
|>>>> viewer already?
|>>
|>> No, setting Irfanview as default will not prevent the WMF exploit, I
|>> had thought so as well.
|>>
|>> Open Irfanview and look at Options, Set file associations.
|>> WMF isn't listed, windows windows fax and picture viewer is used
|>> instead.

|>You better look again. .wmf is most certainly listed in Irfanview 3.9.7
|>(for WindowsXP)

I stand corrected, I expected alphabetical order and went to the
bottom.

There was a post on microsoft.public.windowsxp.general that mention'd
irfanview being vulnerable
Message-ID: <(E-Mail Removed)>
Look'd at the file associations didn't see WMF and figure'd that was
the reason.

--
Time Wasting Sites on the Net
http://freebies.about.com/od/710/tp/timewasting.htm
 
Reply With Quote
 
DC
Guest
Posts: n/a
 
      01-02-2006
C. DelPlato wrote:
> DC wrote:


>> C. DelPlato wrote:
>>> DC wrote:


>> [...]


>>>> Set your IE security to HIGH and watch that space[1], I guess.


>>> Mine is set to medium.


>> Whoopie. Way to trim that post, by the way. New computer for
>> Christmas?


> Did I trim anything you wished to reply to? If so, why not just restore it
> and respond? What's the big deal?


No, you didn't trim a goddamn thing. In fact, out of all your original
text, only *four words* were in reply to anything *I* wrote.

Moron.


--
DC Linux RU #1000111011000111001

The word 'politics' is derived from the word 'poly', meaning 'many'
and the word 'ticks', meaning 'blood sucking parasites'.
 
Reply With Quote
 
C. DelPlato
Guest
Posts: n/a
 
      01-02-2006
Trax wrote:

> "C. DelPlato" <C. (E-Mail Removed)> wrote:
>
>>> Trax wrote:
>>>
>>>> "C. DelPlato" <C. (E-Mail Removed)> wrote:
>>>>
>>>>>> DC wrote:
>>>>>>
>>>>>>> Jack wrote:
>>>>>>
>>>>>>>> XPHome SP2, fully patched. Opened a picture link,
>>>>>>
>>>>>> From where?
>>>>>>
>>>>>>>> it flashed up my
>>>>>>>> download manager trying to download the file eid6.wmf, which
>>>>>>>> shut before I could close it and flashed open the picture and
>>>>>>>> fax viewer which I closed and disconnected from the internet.
>>>>>>>> The following new process was running:
>>>>>>>
>>>>>>>> "rundll32.exe"
>>>>>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
>>>>>>>> C:\Documents and Settings\%username%\Local Settings\Temporary
>>>>>>>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>>>>
>>>>>> I did sorta the same thing just for yucks, but I went to the
>>>>>> webpages in the links that were posted (that were supposedly
>>>>>> downloading the exploit behind my back) and nothing happened. No
>>>>>> problems. Maybe because I had Irfanview set as the default .wmf
>>>>>> viewer already?
>>>>
>>>> No, setting Irfanview as default will not prevent the WMF exploit,
>>>> I had thought so as well.
>>>>
>>>> Open Irfanview and look at Options, Set file associations.
>>>> WMF isn't listed, windows windows fax and picture viewer is used
>>>> instead.

>
>>> You better look again. .wmf is most certainly listed in Irfanview
>>> 3.9.7 (for WindowsXP)

>
> I stand corrected, I expected alphabetical order and went to the
> bottom.


It happens.

> There was a post on microsoft.public.windowsxp.general that mention'd
> irfanview being vulnerable
> Message-ID: <(E-Mail Removed)>
> Look'd at the file associations didn't see WMF and figure'd that was
> the reason.


Like I said. I had Irfanview set to handle .wmf (and every other photo
extension) because i think it's probably the BEST freeware image-related
program ever produced.

Whether or not my file-associations stopped any malware from being installed
on my machine by merely visiting the links in question is beyond me.

All I can tell ya, is that nothing bad happened when I did.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Render WMF, EMF into Raster Graphics Format & Convert WMF to PNG sherazam Java 0 10-21-2010 10:04 AM
SVG-WMF or PNG-WMF conversion Ganesh Palaniappan ASP .Net 1 04-13-2006 11:44 AM
WMF Vulnerability patch for win98 etc., REALTIME LOG Peter Computer Security 5 01-21-2006 12:06 PM
Irfan View WMF Vulnerability Looks You Shouldn't Use It with Unknown Images ab5cvjl@yahoo.com Digital Photography 48 01-10-2006 06:04 PM
Microsoft Security Bulletin MS06-001 (combatting WMF vulnerability) to be released 05/01/2006 Dave Lear Computer Support 5 01-06-2006 12:29 AM



Advertisments