WMF Exploit question

Is there a way to search the PC to see if you have been exploited? I
use Zone Alarm and my AV is up-to-date. I also use MS Antispy.

How would I know if my PC was breached? Is there a scan or somethign I
can do to see?

Thanks

If your av is any good, it should have a heuristic detection to see if
anything is taking advantage of the vulnerability. If you're running
Norton Antivirus or Symantec Antivirus, you're covered.

Microsoft Statement Concerning Windows Meta File Vulnerability
http://www.microsoft.com/presspass/p...FUpdatePR.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User


"doofdaddy@gmail.com" wrote:

> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

Visit the Windows Live Safety Center and use the Complete Scan option
to check for and remove malicious software that takes advantage of this
vulnerability.

Windows Live Safety center
http://safety.live.com/site/en-US/default.htm

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User


"doofdaddy@gmail.com" wrote:

> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

If your av is any good, it should have a heuristic detection to see if
anything is taking advantage of the vulnerability. If you're running
Norton Antivirus or Symantec Antivirus, you're covered.

Microsoft Statement Concerning Windows Meta File Vulnerability
http://www.microsoft.com/presspass/p...FUpdatePR.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User


"doofdaddy@gmail.com" wrote:

> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

Visit the Windows Live Safety Center and use the Complete Scan option
to check for and remove malicious software that takes advantage of this
vulnerability.

Windows Live Safety center
http://safety.live.com/site/en-US/default.htm

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User


"doofdaddy@gmail.com" wrote:

> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

doofdaddy@gmail.com wrote:
> Is there a way to search the PC to see if you have been exploited? I
> use Zone Alarm and my AV is up-to-date. I also use MS Antispy.
>
> How would I know if my PC was breached? Is there a scan or somethign I
> can do to see?
>
> Thanks

No one is sure at this point. The exploit has been known for a few days and
you can be sure the criminals and terrorists have been working around the
clock to take advantage of this one. It's a real plum because a computer can
be affected just by visiting a website etc. etc.

Keep your anti-virus as up-to-date as possible. You might consider, too
unregistering the shimgvw.dll DLL file if you are confident operating
computers. If this bothers you in any way don't do it. If this bothers you
in any way don't do it. If this bothers you in any way don't do it. But it
is a good idea:

Start > Run > type in:

regsvr32 -u %windir%\system32\shimgvw.dll

Hit Enter.

You can reregister it later. It will screw up the Picture Viewer a bit and
there might be anomolies with the display of some graphic files, but your
computer should run OK without it for a few days until the patch is
available. De-registering the DLL is not 100% protection, but doing so
presents any exploiter with a hurdle.

Later to re-register it type:

regsvr32 %windir%\system32\shimgvw.dll

instead. Further you might consider renaming the DLL in the
System32\dllcache folder and the System32 folder. Do the dllcache folder
copy first to bypass Windows file protection.Example of a rename is:

shimgvw.dll renamed to shimgvw.dll.bak

After you rename the one in the System32 folder, Windows File Protection
will kick in and ask if you are sure etc. etc.

This enables you to quickly restore the file. Renaming helps because an
exploiter might be crafty enough to re-register the DLL on the fly ....
tough - but possible.

If your computer is newer and has an AMD64 / Sempron or an newer Intel P4 /
Celeron then you probably have a CPU with the no execution bit. This means
that, combined with enabling DEP in Windows XP SP2, the exploit will fail
against your computer. Something to consider, eh? The no execution bit in a
modern CPU plus DEP in Windows XP SP2 blocks a lot of "buffer overflow"
vulnerability that so many exploits depend upon. For once, a *real* reason
to upgrade.

From: "Carey Frisch [MVP]" <mrxp2004@nospamyahoo.com>

| Visit the Windows Live Safety Center and use the Complete Scan option
| to check for and remove malicious software that takes advantage of this
| vulnerability.
|
| Windows Live Safety center
| http://safety.live.com/site/en-US/default.htm
|

Carey:

Please /* STOP */ suggesting that web site !

It is a Beta and has the lowest catch rate in the AV industry.

Yesterday I placed three WMF-Exploit file in a folder and scanned the PC. They were
detected but NOT deleted.

I gave it a Zoo and it had a 22% catch rate. I have been continually testing Windows Live
Safety and the results are poor to bad. I have been providing feedback to Randy Treit,
Microsoft, and it was based upon my feedback that the lastest version now allows you to scan
a particular location and not just all hard disks. However you STILL can't save or capture
a log of was was performed or found. You can't even copy and paste from the web site.

Just for this post, I tested a Zoo of infectors. 74 EXE only files. I made it *very*
simple and none were installed into the OS, all are just sitting in a folder and I scanned
that folder. ALL of these EXE's have been submitted to Microsoft via the submission email
address prior to this test.

In this test it found oly 43 of the 74 known to be infectors were found.thats only 58% !
If you are infected with the one of the infectors NOT recognized by the web site you are
screwed.

I ten took that same zoo of EXE file and scanned with the Kaspersky module in my Multi AV
Scanning Tool and the Kaspersky web based scanner. The results were 89% of the files were
deleted ! 8 were left. of those eight that were left, Kaspersky had their infections
detected BUT the file was not removed for some reason such as...

C:\1\CMDINST.EXE archive: Inno
C:\1\CMDINST.EXE/data0001 packed: UPX
C:\1\CMDINST.EXE/data0001 infected: not-a-virus:AdWare.Win32.CommAd.a
C:\1\CMDINST.EXE/data0001 disinfection failed: not-a-virus:AdWare.Win32.CommAd.a
C:\1\CMDINST.EXE disinfection failed: not-a-virus:AdWare.Win32.CommAd.a
C:\1\DH9013.EXE archive: NSIS
C:\1\DH9013.EXE/data0002 infected: Trojan-Clicker.Win32.Small.jf
C:\1\DH9013.EXE/data0002 disinfection failed: Trojan-Clicker.Win32.Small.jf
C:\1\DH9013.EXE disinfection failed: Trojan-Clicker.Win32.Small.jf
C:\1\MOMSON~1.EXE/bpkhk.dll infected: not-a-virus:Monitor.Win32.Perflogger.g
C:\1\MOMSON~1.EXE/bpkhk.dll disinfection failed: not-a-virus:Monitor.Win32.Perflogger.g
C:\1\MOMSON~1.EXE disinfection failed: not-a-virus:Monitor.Win32.Perflogger.g

Scanning the system using the McAfee and Sophos modules in my Multi AV Scanning tool removed
those remaining 8 files !

I know that you are a MS MVP. That does not mean that you HAVE TO only provide Microsoft
based solutions. If someone has a problem, and it is security related, please suppl the
BEST solution and not just a Microsoft solution.

If you are going to give out web sites of online anti virus scanners here is a list of tried
an true, well exstabled, anti virus vendors..

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

Symantec:
http://security.symantec.com/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

BitDefender:
http://www.bitdefender.com/scan/license.php

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Panda ActiveScan:
http://http://www.activescan.com/

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Saucy Lemon" <saucy@s.can.be>

|
| No one is sure at this point. The exploit has been known for a few days and
| you can be sure the criminals and terrorists have been working around the
| clock to take advantage of this one. It's a real plum because a computer can
| be affected just by visiting a website etc. etc.
|
| Keep your anti-virus as up-to-date as possible. You might consider, too
| unregistering the shimgvw.dll DLL file if you are confident operating
| computers. If this bothers you in any way don't do it. If this bothers you
| in any way don't do it. If this bothers you in any way don't do it. But it
| is a good idea:
|
Start >> Run > type in:
|
| regsvr32 -u %windir%\system32\shimgvw.dll
|
| Hit Enter.
|
| You can reregister it later. It will screw up the Picture Viewer a bit and
| there might be anomolies with the display of some graphic files, but your
| computer should run OK without it for a few days until the patch is
| available. De-registering the DLL is not 100% protection, but doing so
| presents any exploiter with a hurdle.
|
| Later to re-register it type:
|
| regsvr32 %windir%\system32\shimgvw.dll
|
| instead. Further you might consider renaming the DLL in the
| System32\dllcache folder and the System32 folder. Do the dllcache folder
| copy first to bypass Windows file protection.Example of a rename is:
|
| shimgvw.dll renamed to shimgvw.dll.bak
|
| After you rename the one in the System32 folder, Windows File Protection
| will kick in and ask if you are sure etc. etc.
|
| This enables you to quickly restore the file. Renaming helps because an
| exploiter might be crafty enough to re-register the DLL on the fly ....
| tough - but possible.
|
| If your computer is newer and has an AMD64 / Sempron or an newer Intel P4 /
| Celeron then you probably have a CPU with the no execution bit. This means
| that, combined with enabling DEP in Windows XP SP2, the exploit will fail
| against your computer. Something to consider, eh? The no execution bit in a
| modern CPU plus DEP in Windows XP SP2 blocks a lot of "buffer overflow"
| vulnerability that so many exploits depend upon. For once, a *real* reason
| to upgrade.
|

That's only aprt of the solution.
Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php

Unlike other patches, this is Win9x/ME compatible.

It should also be noted that a few of the possibly 206 variants of the WMF-Exploit will
download and auto-install the Backdoor.Haxdoor Trojan. A nasty multi blended Trojan that
uses RootKit technology.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm