Thread: WMF Exploit question
View Single Post
  #10  
Old 01-05-2006, 06:35 PM
David H. Lipman
 
Posts: n/a
Default Re: WMF Exploit question
From: "Saucy Lemon" <saucy@s.can.be>

|
| No one is sure at this point. The exploit has been known for a few days and
| you can be sure the criminals and terrorists have been working around the
| clock to take advantage of this one. It's a real plum because a computer can
| be affected just by visiting a website etc. etc.
|
| Keep your anti-virus as up-to-date as possible. You might consider, too
| unregistering the shimgvw.dll DLL file if you are confident operating
| computers. If this bothers you in any way don't do it. If this bothers you
| in any way don't do it. If this bothers you in any way don't do it. But it
| is a good idea:
|
Start >> Run > type in:
|
| regsvr32 -u %windir%\system32\shimgvw.dll
|
| Hit Enter.
|
| You can reregister it later. It will screw up the Picture Viewer a bit and
| there might be anomolies with the display of some graphic files, but your
| computer should run OK without it for a few days until the patch is
| available. De-registering the DLL is not 100% protection, but doing so
| presents any exploiter with a hurdle.
|
| Later to re-register it type:
|
| regsvr32 %windir%\system32\shimgvw.dll
|
| instead. Further you might consider renaming the DLL in the
| System32\dllcache folder and the System32 folder. Do the dllcache folder
| copy first to bypass Windows file protection.Example of a rename is:
|
| shimgvw.dll renamed to shimgvw.dll.bak
|
| After you rename the one in the System32 folder, Windows File Protection
| will kick in and ask if you are sure etc. etc.
|
| This enables you to quickly restore the file. Renaming helps because an
| exploiter might be crafty enough to re-register the DLL on the fly ....
| tough - but possible.
|
| If your computer is newer and has an AMD64 / Sempron or an newer Intel P4 /
| Celeron then you probably have a CPU with the no execution bit. This means
| that, combined with enabling DEP in Windows XP SP2, the exploit will fail
| against your computer. Something to consider, eh? The no execution bit in a
| modern CPU plus DEP in Windows XP SP2 blocks a lot of "buffer overflow"
| vulnerability that so many exploits depend upon. For once, a *real* reason
| to upgrade.
|

That's only aprt of the solution.
Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php

Unlike other patches, this is Win9x/ME compatible.

It should also be noted that a few of the possibly 206 variants of the WMF-Exploit will
download and auto-install the Backdoor.Haxdoor Trojan. A nasty multi blended Trojan that
uses RootKit technology.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Reply With Quote