Home of the World Famous VIRUS BUSTERS
Download Antivirus Software
What to Do If You Have a Virus
Virus Filtering
Viruses Seen at U-M
Hoaxes, Hooey, and Hogwash
Urban Legends
U-M Resources
Other Resources
Contact Us
We Ain't 'Fraid O' No Virus!

The Windows MetaFile (WMF) Exploit Vulnerability

Summary

  • Virus/Worm/Trojan Name: Exploit-WMF (VirusScan)
  • Discovered: 12/27/05
  • General Description: This is a Windows vulnerability
  • Mitigating factors: VirusScan (and other antivirus products) detect and prevent known exploits; third party (non-Microsoft) remedies exist
  • Protective filters installed on the U-M e-mail gateway: Yes. Initially installed as of 11:05 a.m., 12/28/05; updated 10:20 p.m. 12/30/05 and 01:35 a.m. 01/01/06 as new variants appeared.
  • Affected systems: Windows computers only. *ALL* versions of Windows.
  • This page created: 01/03/06 01:34 a.m.
  • This page last updated: 01/04/06 10:20 a.m.

UPDATES

01/05/06 16:02:32 EST: Microsoft changed its mind and released the update early. Woo hoo! So, if you haven't installed the 3rd party patch, IMMEDIATELY log in with Admin rights and do a Windows Update. And if you *HAVE patched, disconnect from the 'Net, uninstall log in with admin rights, the patch, reconnect to the 'Net, and immediately run a Windows Update

01/04/06: Microsoft has announced that they will release a patch for this ... during their regular patch cycle. In other words, not until Tuesday, January 10th. Absolutely incredible; they should have issued one already. FEH!!!

How This Exploit Propagates

Via spam e-mail, hostile web sites, and probably other things—merely by attempting to view something that purports to be a graphic (but actually is a hostile object that creates a buffer overflow that allows the system to be compromised).

What You Are Likely to See

A very nice description of the Windows MetaFile exploit is found at F-Secure's Weblog—be sure to read entries back to Wednesday, December 28, 2005, to get the full story. IT IS NOT PRETTY.

The somewhat-good news is that, according to our logs, as of 10:00 a.m. 01/03/2006, we've only seen 38 e-mails blocked because of this vulnerability at the U-M e-mail gateway (none since 4:55 p.m. 12/30/05, interestingly). That doesn't mean that nobody here has been compromised—the vulnerability does not exploit e-mail alone, and there might be exploits our gateway scanners do not yet recognize—but at least it is a hopeful sign: perhaps the e-mail-based attacks are limited, in general, at least at this point. That said, we still recommend prompt action.

Symptoms of Infection

Since this is caused by a buffer overflow, the symptoms can be almost anything the Black Hats choose to craft. And since new variants are appearing, it would be imprudent to list symptoms at this point. Until Microsoft issues a fix and thereby makes it possible for everyone to be protected, we won't attempt to summarize.

How to Protect Your Computer

First, let me say that I have not seen an actual sample—and even if I had, it would be only one of many possible attacks. But I believe at thsi point that your best strategy is to do the following.
  • Make sure you have VirusScan installed, and that it is updating properly. As of this writing, VirusScan should have the 4665 DATs; DATfiles are released every weekday and sometimes more frequently.
  • Disabling file indexing is a good idea—including Google's search tool and the built-in Windows Indexing Service. [If you don't, and you happen to encounter a hostile WMF file, you can get zapped without any interaction on your part.]
  • At the risk of stating the obvious, be particularly wary of opening any emails from unknown sources, or browsing to untrusted web sites—not ever, but particularly not now.

And, most important:

  • Protect yourself until Microsoft has a patch:

    This is now obsolete, since Micrsoft has released its patch. Please update Windows immediately if you have not done so already.

    1. Unregister Windows Picture and Fax Viewer (Shimgvw.dll): Click Start, click Run, type 
         regsvr32 -u %windir%\system32\shimgvw.dll
      and close the resulting dialog box. The effect of this is that some icons may not display as you'd expect—a minor price to pay.
    2. If you are using Windows XP SP2, temporarily disable automatic Windows Updates: Open your Control Panel and double-click on the Security Center icon, then click Manage security settings for Automatic Updates. Note your current setting, and change it to Download updates for me, but let me choose when to install them. You'll have to do this using an account with admin rights. The reason for doing this is so that you can manually uninstall the third-party patch you will apply in Step 3 when Microsoft has a fix, instead of relying on Microsoft to remove that patch properly.
    3. Download and install the WMF Exploit patch, written by Ilfak Guilfanov and tested by many, from any of the links at the top of Ilfak's www.hexblog.com web site (leaving our site).
    4. When Microsoft has a patch and your computer has downloaded them, disconnect from the Internet.
    5. Then uninstall Ilfak's patch: Open the Control Panel, select Add or Remove Programs, then uninstall "Windows WMF Metafile Vulnerability HotFix."
    6. Rebooting now is not a bad idea, but you probably can skip it. In any event, now (when logged in with admin rights) install the newly released patch(es) from Microsoft that handle the WMF vulnerability.
    7. Return Windows Updates to its previous state, and re-register Windows Picture and Fax Viewer: Click Start, click Run, type 
         regsvr32 %windir%\system32\shimgvw.dll
      and close the resulting dialog box.
    8. Reconnect to the Internet.

For More Information

See these pages:.    -BPB

This information can be freely reproduced in any medium as long as the information is unmodified.  

U-M Virus Busters

virus.busters@umich.edu

ITCS | University of Michigan
Copyright © 1996-2005 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated January 05, 2006