Encountered WMF Vulnerability

Discussion in 'Computer Support' started by Jack, Jan 1, 2006.

  1. Jack

    Jack Guest

    XPHome SP2, fully patched. Opened a picture link, it flashed up my download
    manager trying to download the file eid6.wmf, which shut before I could
    close it and flashed open the picture and fax viewer which I closed and
    disconnected from the internet. The following new process was running:

    "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
    C:\Documents and Settings\%username%\Local Settings\Temporary Internet
    Files\Content.IE5\WTABCDEZ\eid6[1].wmf

    Closed it and cleaned the IE cache and rebooted and it didn't restart.
    Following files were created around this time and may or may not be related:

    C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

    C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

    C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

    C:\WINDOWS\system32\CatRoot2\tmp.edb

    I removed the prefetch files, the catroot2 file was in use and could not be
    moved and disappeared over a reboot. Then used SR to restore to a point
    prior. Doesn't seem as if there is any obvious residual, but does anyone
    know anything esle I should do or look for. I had not unregistered
    shimgvw.dll or applied Ilfak Guilfanov's temp patch:

    http://www.grc.com/sn/notes-020.htm

    Thanks.


    --
    Regards
     
    Jack, Jan 1, 2006
    #1
    1. Advertising

  2. Jack

    DC Guest

    Jack wrote:
    > XPHome SP2, fully patched. Opened a picture link, it flashed up my download
    > manager trying to download the file eid6.wmf, which shut before I could
    > close it and flashed open the picture and fax viewer which I closed and
    > disconnected from the internet. The following new process was running:


    > "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
    > C:\Documents and Settings\%username%\Local Settings\Temporary Internet
    > Files\Content.IE5\WTABCDEZ\eid6[1].wmf


    > Closed it and cleaned the IE cache and rebooted and it didn't restart.
    > Following files were created around this time and may or may not be related:


    > C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf


    > C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf


    > C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf


    > C:\WINDOWS\system32\CatRoot2\tmp.edb


    > I removed the prefetch files, the catroot2 file was in use and could not be
    > moved and disappeared over a reboot. Then used SR to restore to a point
    > prior. Doesn't seem as if there is any obvious residual, but does anyone
    > know anything esle I should do or look for. I had not unregistered
    > shimgvw.dll or applied Ilfak Guilfanov's temp patch:


    > http://www.grc.com/sn/notes-020.htm


    > Thanks.



    Nice. I *just* finished getting my brother all patched up for this. I
    sent him a copy of your post to show him I'm no Chicken Little. }:O)

    As for what to do now, the best info I've found on this is here:
    http://isc.sans.org/diary.php

    Set your IE security to HIGH and watch that space[1], I guess.

    Good luck.


    [1] While you are waiting, try this:
    http://opensource.region-stuttgart.de/test_linux_desktop.php

    Way cool. }BO)

    --
    DC Linux RU #1000111011000111001

    The word 'politics' is derived from the word 'poly', meaning 'many'
    and the word 'ticks', meaning 'blood sucking parasites'.
     
    DC, Jan 2, 2006
    #2
    1. Advertising

  3. Jack

    C. DelPlato Guest

    DC wrote:

    > Jack wrote:


    >> XPHome SP2, fully patched. Opened a picture link,


    From where?

    >> it flashed up my
    >> download manager trying to download the file eid6.wmf, which shut
    >> before I could close it and flashed open the picture and fax viewer
    >> which I closed and disconnected from the internet. The following new
    >> process was running:

    >
    >> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
    >> C:\Documents and Settings\%username%\Local Settings\Temporary
    >> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf


    I did sorta the same thing just for yucks, but I went to the webpages in the
    links that were posted (that were supposedly downloading the exploit behind
    my back) and nothing happened. No problems. Maybe because I had Irfanview
    set as the default .wmf viewer already?

    >> Closed it and cleaned the IE cache and rebooted and it didn't
    >> restart. Following files were created around this time and may or
    >> may not be related:

    >
    >> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

    >
    >> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

    >
    >> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

    >
    >> C:\WINDOWS\system32\CatRoot2\tmp.edb

    >
    >> I removed the prefetch files, the catroot2 file was in use and could
    >> not be moved and disappeared over a reboot. Then used SR to restore
    >> to a point prior. Doesn't seem as if there is any obvious residual,
    >> but does anyone know anything esle I should do or look for. I had
    >> not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:

    >
    >> http://www.grc.com/sn/notes-020.htm


    Sheesh. Glad I never experienced anything like that.

    >> Thanks.

    >
    >
    > Nice. I *just* finished getting my brother all patched up for this.
    > I sent him a copy of your post to show him I'm no Chicken Little.
    > }:O)
    >
    > As for what to do now, the best info I've found on this is here:
    > http://isc.sans.org/diary.php
    >
    > Set your IE security to HIGH and watch that space[1], I guess.


    Mine is set to medium.

    > Good luck.
    >
    >
    > [1] While you are waiting, try this:
    > http://opensource.region-stuttgart.de/test_linux_desktop.php
    >
    > Way cool. }BO)
     
    C. DelPlato, Jan 2, 2006
    #3
  4. Jack

    Trax Guest

    "C. DelPlato" <C. > wrote:

    |>DC wrote:
    |>
    |>> Jack wrote:
    |>
    |>>> XPHome SP2, fully patched. Opened a picture link,
    |>
    |>From where?
    |>
    |>>> it flashed up my
    |>>> download manager trying to download the file eid6.wmf, which shut
    |>>> before I could close it and flashed open the picture and fax viewer
    |>>> which I closed and disconnected from the internet. The following new
    |>>> process was running:
    |>>
    |>>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
    |>>> C:\Documents and Settings\%username%\Local Settings\Temporary
    |>>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf

    |>I did sorta the same thing just for yucks, but I went to the webpages in the
    |>links that were posted (that were supposedly downloading the exploit behind
    |>my back) and nothing happened. No problems. Maybe because I had Irfanview
    |>set as the default .wmf viewer already?

    No, setting Irfanview as default will not prevent the WMF exploit, I
    had thought so as well.

    Open Irfanview and look at Options, Set file associations.
    WMF isn't listed, windows windows fax and picture viewer is used
    instead.

    Just turn off the windows viewer...
    http://www.annoyances.org/exec/show/article03-201
    How many WMF's have you view'd in the past anyhow?

    |>>> Closed it and cleaned the IE cache and rebooted and it didn't
    |>>> restart. Following files were created around this time and may or
    |>>> may not be related:
    |>>
    |>>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
    |>>
    |>>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
    |>>
    |>>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
    |>>
    |>>> C:\WINDOWS\system32\CatRoot2\tmp.edb
    |>>
    |>>> I removed the prefetch files, the catroot2 file was in use and could
    |>>> not be moved and disappeared over a reboot. Then used SR to restore
    |>>> to a point prior. Doesn't seem as if there is any obvious residual,
    |>>> but does anyone know anything esle I should do or look for. I had
    |>>> not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
    |>>
    |>>> http://www.grc.com/sn/notes-020.htm
    |>
    |>Sheesh. Glad I never experienced anything like that.
    |>
    |>>> Thanks.
    |>>
    |>>
    |>> Nice. I *just* finished getting my brother all patched up for this.
    |>> I sent him a copy of your post to show him I'm no Chicken Little.
    |>> }:O)
    |>>
    |>> As for what to do now, the best info I've found on this is here:
    |>> http://isc.sans.org/diary.php
    |>>
    |>> Set your IE security to HIGH and watch that space[1], I guess.
    |>
    |>Mine is set to medium.
    |>
    |>> Good luck.
    |>>
    |>>
    |>> [1] While you are waiting, try this:
    |>> http://opensource.region-stuttgart.de/test_linux_desktop.php
    |>>
    |>> Way cool. }BO)
    |>


    --
    Time Wasting Sites on the Net
    http://freebies.about.com/od/710/tp/timewasting.htm
     
    Trax, Jan 2, 2006
    #4
  5. Jack

    DC Guest

    C. DelPlato wrote:
    > DC wrote:


    [...]

    >> Set your IE security to HIGH and watch that space[1], I guess.


    > Mine is set to medium.


    Whoopie. Way to trim that post, by the way. New computer for
    Christmas?

    --
    DC Linux RU #1000111011000111001

    The word 'politics' is derived from the word 'poly', meaning 'many'
    and the word 'ticks', meaning 'blood sucking parasites'.
     
    DC, Jan 2, 2006
    #5
  6. Jack

    C. DelPlato Guest

    Trax wrote:

    > "C. DelPlato" <C. > wrote:
    >
    >>> DC wrote:
    >>>
    >>>> Jack wrote:
    >>>
    >>>>> XPHome SP2, fully patched. Opened a picture link,
    >>>
    >>> From where?
    >>>
    >>>>> it flashed up my
    >>>>> download manager trying to download the file eid6.wmf, which shut
    >>>>> before I could close it and flashed open the picture and fax
    >>>>> viewer which I closed and disconnected from the internet. The
    >>>>> following new process was running:
    >>>>
    >>>>> "rundll32.exe"
    >>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen C:\Documents
    >>>>> and Settings\%username%\Local Settings\Temporary Internet
    >>>>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf

    >
    >>> I did sorta the same thing just for yucks, but I went to the
    >>> webpages in the links that were posted (that were supposedly
    >>> downloading the exploit behind my back) and nothing happened. No
    >>> problems. Maybe because I had Irfanview set as the default .wmf
    >>> viewer already?

    >
    > No, setting Irfanview as default will not prevent the WMF exploit, I
    > had thought so as well.
    >
    > Open Irfanview and look at Options, Set file associations.
    > WMF isn't listed, windows windows fax and picture viewer is used
    > instead.


    You better look again. .wmf is most certainly listed in Irfanview 3.9.7
    (for WindowsXP)

    <snip>
     
    C. DelPlato, Jan 2, 2006
    #6
  7. Jack

    C. DelPlato Guest

    DC wrote:

    > C. DelPlato wrote:
    >> DC wrote:

    >
    > [...]
    >
    >>> Set your IE security to HIGH and watch that space[1], I guess.

    >
    >> Mine is set to medium.

    >
    > Whoopie. Way to trim that post, by the way. New computer for
    > Christmas?


    Did I trim anything you wished to reply to? If so, why not just restore it
    and respond? What's the big deal?
     
    C. DelPlato, Jan 2, 2006
    #7
  8. Jack

    Trax Guest

    "C. DelPlato" <C. > wrote:

    |>Trax wrote:
    |>
    |>> "C. DelPlato" <C. > wrote:
    |>>
    |>>>> DC wrote:
    |>>>>
    |>>>>> Jack wrote:
    |>>>>
    |>>>>>> XPHome SP2, fully patched. Opened a picture link,
    |>>>>
    |>>>> From where?
    |>>>>
    |>>>>>> it flashed up my
    |>>>>>> download manager trying to download the file eid6.wmf, which shut
    |>>>>>> before I could close it and flashed open the picture and fax
    |>>>>>> viewer which I closed and disconnected from the internet. The
    |>>>>>> following new process was running:
    |>>>>>
    |>>>>>> "rundll32.exe"
    |>>>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen C:\Documents
    |>>>>>> and Settings\%username%\Local Settings\Temporary Internet
    |>>>>>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
    |>>
    |>>>> I did sorta the same thing just for yucks, but I went to the
    |>>>> webpages in the links that were posted (that were supposedly
    |>>>> downloading the exploit behind my back) and nothing happened. No
    |>>>> problems. Maybe because I had Irfanview set as the default .wmf
    |>>>> viewer already?
    |>>
    |>> No, setting Irfanview as default will not prevent the WMF exploit, I
    |>> had thought so as well.
    |>>
    |>> Open Irfanview and look at Options, Set file associations.
    |>> WMF isn't listed, windows windows fax and picture viewer is used
    |>> instead.

    |>You better look again. .wmf is most certainly listed in Irfanview 3.9.7
    |>(for WindowsXP)

    I stand corrected, I expected alphabetical order and went to the
    bottom.

    There was a post on microsoft.public.windowsxp.general that mention'd
    irfanview being vulnerable
    Message-ID: <>
    Look'd at the file associations didn't see WMF and figure'd that was
    the reason.

    --
    Time Wasting Sites on the Net
    http://freebies.about.com/od/710/tp/timewasting.htm
     
    Trax, Jan 2, 2006
    #8
  9. Jack

    DC Guest

    C. DelPlato wrote:
    > DC wrote:


    >> C. DelPlato wrote:
    >>> DC wrote:


    >> [...]


    >>>> Set your IE security to HIGH and watch that space[1], I guess.


    >>> Mine is set to medium.


    >> Whoopie. Way to trim that post, by the way. New computer for
    >> Christmas?


    > Did I trim anything you wished to reply to? If so, why not just restore it
    > and respond? What's the big deal?


    No, you didn't trim a goddamn thing. In fact, out of all your original
    text, only *four words* were in reply to anything *I* wrote.

    Moron.


    --
    DC Linux RU #1000111011000111001

    The word 'politics' is derived from the word 'poly', meaning 'many'
    and the word 'ticks', meaning 'blood sucking parasites'.
     
    DC, Jan 2, 2006
    #9
  10. Jack

    C. DelPlato Guest

    Trax wrote:

    > "C. DelPlato" <C. > wrote:
    >
    >>> Trax wrote:
    >>>
    >>>> "C. DelPlato" <C. > wrote:
    >>>>
    >>>>>> DC wrote:
    >>>>>>
    >>>>>>> Jack wrote:
    >>>>>>
    >>>>>>>> XPHome SP2, fully patched. Opened a picture link,
    >>>>>>
    >>>>>> From where?
    >>>>>>
    >>>>>>>> it flashed up my
    >>>>>>>> download manager trying to download the file eid6.wmf, which
    >>>>>>>> shut before I could close it and flashed open the picture and
    >>>>>>>> fax viewer which I closed and disconnected from the internet.
    >>>>>>>> The following new process was running:
    >>>>>>>
    >>>>>>>> "rundll32.exe"
    >>>>>>>> C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen
    >>>>>>>> C:\Documents and Settings\%username%\Local Settings\Temporary
    >>>>>>>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf
    >>>>
    >>>>>> I did sorta the same thing just for yucks, but I went to the
    >>>>>> webpages in the links that were posted (that were supposedly
    >>>>>> downloading the exploit behind my back) and nothing happened. No
    >>>>>> problems. Maybe because I had Irfanview set as the default .wmf
    >>>>>> viewer already?
    >>>>
    >>>> No, setting Irfanview as default will not prevent the WMF exploit,
    >>>> I had thought so as well.
    >>>>
    >>>> Open Irfanview and look at Options, Set file associations.
    >>>> WMF isn't listed, windows windows fax and picture viewer is used
    >>>> instead.

    >
    >>> You better look again. .wmf is most certainly listed in Irfanview
    >>> 3.9.7 (for WindowsXP)

    >
    > I stand corrected, I expected alphabetical order and went to the
    > bottom.


    It happens. :)

    > There was a post on microsoft.public.windowsxp.general that mention'd
    > irfanview being vulnerable
    > Message-ID: <>
    > Look'd at the file associations didn't see WMF and figure'd that was
    > the reason.


    Like I said. I had Irfanview set to handle .wmf (and every other photo
    extension) because i think it's probably the BEST freeware image-related
    program ever produced.

    Whether or not my file-associations stopped any malware from being installed
    on my machine by merely visiting the links in question is beyond me.

    All I can tell ya, is that nothing bad happened when I did.
     
    C. DelPlato, Jan 2, 2006
    #10
  11. Jack

    C. DelPlato Guest

    DC wrote:

    > C. DelPlato wrote:
    >> DC wrote:

    >
    >>> C. DelPlato wrote:
    >>>> DC wrote:

    >
    >>> [...]

    >
    >>>>> Set your IE security to HIGH and watch that space[1], I guess.

    >
    >>>> Mine is set to medium.

    >
    >>> Whoopie. Way to trim that post, by the way. New computer for
    >>> Christmas?

    >
    >> Did I trim anything you wished to reply to? If so, why not just
    >> restore it and respond? What's the big deal?

    >
    > No, you didn't trim a goddamn thing.


    Then why imply that I did?

    > In fact, out of all your
    > original text, only *four words* were in reply to anything *I* wrote.


    Have another drink.
     
    C. DelPlato, Jan 2, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    5
    Views:
    1,271
  2. Replies:
    48
    Views:
    1,426
    Bill Tuthill
    Jan 10, 2006
  3. Dave Lear
    Replies:
    5
    Views:
    482
    Dave Lear
    Jan 6, 2006
  4. Brett Roberts

    Microsoft to release WMF vulnerability update TODAY

    Brett Roberts, Jan 5, 2006, in forum: NZ Computing
    Replies:
    93
    Views:
    1,732
    Mr Undeniably Sluttish
    Jan 15, 2006
  5. Rob J

    Windows WMF Vulnerability Patch Released

    Rob J, Jan 6, 2006, in forum: NZ Computing
    Replies:
    6
    Views:
    403
    Rob J
    Jan 7, 2006
Loading...

Share This Page