Encountered WMF Vulnerability

XPHome SP2, fully patched. Opened a picture link, it flashed up my download
manager trying to download the file eid6.wmf, which shut before I could
close it and flashed open the picture and fax viewer which I closed and
disconnected from the internet. The following new process was running:

"rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
C:\Documents and Settings\%username%\Local Settings\Temporary Internet
Files\Content.IE5\WTABCDEZ\eid6[1].wmf

Closed it and cleaned the IE cache and rebooted and it didn't restart.
Following files were created around this time and may or may not be related:

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf

C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf

C:\WINDOWS\system32\CatRoot2\tmp.edb

I removed the prefetch files, the catroot2 file was in use and could not be
moved and disappeared over a reboot. Then used SR to restore to a point
prior. Doesn't seem as if there is any obvious residual, but does anyone
know anything esle I should do or look for. I had not unregistered
shimgvw.dll or applied Ilfak Guilfanov's temp patch:

http://www.grc.com/sn/notes-020.htm

Thanks.


--
Regards

Jack wrote:
> XPHome SP2, fully patched. Opened a picture link, it flashed up my
> download manager trying to download the file eid6.wmf, which shut
> before I could close it and flashed open the picture and fax viewer
> which I closed and disconnected from the internet. The following new
> process was running:
>
> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>
> Closed it and cleaned the IE cache and rebooted and it didn't restart.
> Following files were created around this time and may or may not be
> related:
>
> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>
> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>
> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>
> C:\WINDOWS\system32\CatRoot2\tmp.edb
>
> I removed the prefetch files, the catroot2 file was in use and could
> not be moved and disappeared over a reboot. Then used SR to restore
> to a point prior. Doesn't seem as if there is any obvious residual,
> but does anyone know anything esle I should do or look for. I had not
> unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
>
> http://www.grc.com/sn/notes-020.htm
>
> Thanks.

What Anti-virus program do you use? Most can already detect this exploit.
Here is some reading on this.
http://www.updatexp.com/wmf-exploit.html
If you read the link above it mentions that this exploit can download and
install trojans and/or malware I suggest that you try Ewido for 14 days free
it will also detect the wmf vulnerability if your system is still infected.
http://www.ewido.net/en/

The following is copied and pasted from the MS virus newsgroups courtesy of
David Lipman.



AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found

--
Mike Pawlak

From: "Jack" <null@null.com>

| XPHome SP2, fully patched. Opened a picture link, it flashed up my download
| manager trying to download the file eid6.wmf, which shut before I could
| close it and flashed open the picture and fax viewer which I closed and
| disconnected from the internet. The following new process was running:
|
| "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
| C:\Documents and Settings\%username%\Local Settings\Temporary Internet
| Files\Content.IE5\WTABCDEZ\eid6[1].wmf
|
| Closed it and cleaned the IE cache and rebooted and it didn't restart.
| Following files were created around this time and may or may not be related:
|
| C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
|
| C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
|
| C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
|
| C:\WINDOWS\system32\CatRoot2\tmp.edb
|
| I removed the prefetch files, the catroot2 file was in use and could not be
| moved and disappeared over a reboot. Then used SR to restore to a point
| prior. Doesn't seem as if there is any obvious residual, but does anyone
| know anything esle I should do or look for. I had not unregistered
| shimgvw.dll or applied Ilfak Guilfanov's temp patch:
|
| http://www.grc.com/sn/notes-020.htm
|
| Thanks.
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"MAP" <mikepawlak2REM@OVEhotmail.com> wrote in message
news:%23SJS1jtDGHA.2320@TK2MSFTNGP12.phx.gbl...
> Jack wrote:
>> XPHome SP2, fully patched. Opened a picture link, it flashed up my
>> download manager trying to download the file eid6.wmf, which shut
>> before I could close it and flashed open the picture and fax viewer
>> which I closed and disconnected from the internet. The following new
>> process was running:
>>
>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
>> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>>
>> Closed it and cleaned the IE cache and rebooted and it didn't restart.
>> Following files were created around this time and may or may not be
>> related:
>>
>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>>
>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>>
>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>>
>> C:\WINDOWS\system32\CatRoot2\tmp.edb
>>
>> I removed the prefetch files, the catroot2 file was in use and could
>> not be moved and disappeared over a reboot. Then used SR to restore
>> to a point prior. Doesn't seem as if there is any obvious residual,
>> but does anyone know anything esle I should do or look for. I had not
>> unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
>>
>> http://www.grc.com/sn/notes-020.htm
>>
>> Thanks.
>
> What Anti-virus program do you use? Most can already detect this exploit.
> Here is some reading on this.
> http://www.updatexp.com/wmf-exploit.html
> If you read the link above it mentions that this exploit can download and
> install trojans and/or malware I suggest that you try Ewido for 14 days
> free
> it will also detect the wmf vulnerability if your system is still
> infected.
> http://www.ewido.net/en/
>
> The following is copied and pasted from the MS virus newsgroups courtesy
> of
> David Lipman.
>
>
>
> AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
> Avast 4.6.695.0 12.29.2005 Win32:Exdown
> AVG 718 12.29.2005 Downloader.Agent.13.AI
> Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
> BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
> CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
> ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
> DrWeb 4.33 12.29.2005 Exploit.MS05-053
> eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
> eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
> Ewido 3.5 12.29.2005 Downloader.Agent.acd
> Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
> F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
> Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
> Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
> McAfee 4662 12.29.2005 Exploit-WMF
> Microsoft ?? 12.29.2005 no virus found
> NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
> Norman 5.70.10 12.29.2005 no virus found
> Panda 9.0.0.4 12.28.2005 Exploit/Metafile
> Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
> Symantec 8.0 12.29.2005 Download.Trojan
> TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
> Trend Micro 135 12.29.2005 TROJ_NASCENE.D
> UNA 1.83 12.29.2005 no virus found
> VBA32 3.10.5 12.28.2005 no virus found
>
> --
> Mike Pawlak


Thanks for your response. I use AVG with most recent def update and
a-squared updated with detection
for the WMF exploit, scans of both for my entire system show no infection. I
think the initial core malware file was not entirely downloaded and cleaning
the cache and the quick disconnect saved me

--
Regards

> Thanks for your response. I use AVG with most recent def update and
> a-squared updated with detection
> for the WMF exploit, scans of both for my entire system show no
> infection. I think the initial core malware file was not entirely
> downloaded and cleaning the cache and the quick disconnect saved me

I strongly urge you to replace your AV program!
Use NOD32 or Kaspersky, any decent av software would have stopped the
download as it was happening and give you a warning to terminate it, thus
preventing an infection in the first place.

--
Mike Pawlak

From: "Jack" <null@null.com>

|
| Thanks for your response. I use AVG with most recent def update and
| a-squared updated with detection
| for the WMF exploit, scans of both for my entire system show no infection. I
| think the initial core malware file was not entirely downloaded and cleaning
| the cache and the quick disconnect saved me
|

It has been determined that a variant of the Exploit-WMF is causing the installation of a
variant of the Backdoor.Haxdoor Trojan which uses RootKit technology.

Download HiJack This! (HJT).
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT Log file and Copy the section (an ONLY that section) that is labeled "O23 -
Service:" and paste all the lines starting "O23 - Service:" in your reply.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Have you seen this from eWeek? Ewido doesn't rank very highly here. In fact,
it is dismal! This is from a few days ago, when the tests were being
performed.


AV-Test, which tests anti-malware products, has been tracking the situation
closely and has, so far, analyzed 73 variants of malicious WMF files.
Products from the following companies have identified all 73:

a.. Alwil Software (Avast)
b.. Softwin (BitDefender)
c.. ClamAV
d.. F-Secure Inc.
e.. Fortinet Inc.
f.. McAfee Inc.
g.. ESET (Nod32)
h.. Panda Software
i.. Sophos Plc
j.. Symantec Corp.
k.. Trend Micro Inc.
l.. VirusBuster

These products detected fewer variants:
a.. 62 - eTrust-VET
b.. 62 - QuickHeal
c.. 61 - AntiVir
d.. 61 - Dr Web
e.. 61 - Kaspersky
f.. 60 - AVG
g.. 19 - Command
h.. 19 - F-Prot
i.. 11 - Ewido
j.. 7 - eSafe
k.. 7 - eTrust-INO
l.. 6 - Ikarus
m.. 6 - VBA32
n.. 0 - Norman


The difference for the more effective products is likely to be heuristic
detection, tracking the threat by identifying the basic techniques of the
exploit, rather than looking for specific patterns for specific exploits.


--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

"MAP" <mikepawlak2REM@OVEhotmail.com> wrote in message
news:%23SJS1jtDGHA.2320@TK2MSFTNGP12.phx.gbl...
> Jack wrote:
>> XPHome SP2, fully patched. Opened a picture link, it flashed up my
>> download manager trying to download the file eid6.wmf, which shut
>> before I could close it and flashed open the picture and fax viewer
>> which I closed and disconnected from the internet. The following new
>> process was running:
>>
>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
>> C:\Documents and Settings\%username%\Local Settings\Temporary Internet
>> Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>>
>> Closed it and cleaned the IE cache and rebooted and it didn't restart.
>> Following files were created around this time and may or may not be
>> related:
>>
>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>>
>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>>
>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>>
>> C:\WINDOWS\system32\CatRoot2\tmp.edb
>>
>> I removed the prefetch files, the catroot2 file was in use and could
>> not be moved and disappeared over a reboot. Then used SR to restore
>> to a point prior. Doesn't seem as if there is any obvious residual,
>> but does anyone know anything esle I should do or look for. I had not
>> unregistered shimgvw.dll or applied Ilfak Guilfanov's temp patch:
>>
>> http://www.grc.com/sn/notes-020.htm
>>
>> Thanks.
>
> What Anti-virus program do you use? Most can already detect this exploit.
> Here is some reading on this.
> http://www.updatexp.com/wmf-exploit.html
> If you read the link above it mentions that this exploit can download and
> install trojans and/or malware I suggest that you try Ewido for 14 days
> free
> it will also detect the wmf vulnerability if your system is still
> infected.
> http://www.ewido.net/en/
>
> The following is copied and pasted from the MS virus newsgroups courtesy
> of
> David Lipman.
>
>
>
> AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
> Avast 4.6.695.0 12.29.2005 Win32:Exdown
> AVG 718 12.29.2005 Downloader.Agent.13.AI
> Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
> BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
> CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
> ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
> DrWeb 4.33 12.29.2005 Exploit.MS05-053
> eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
> eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
> Ewido 3.5 12.29.2005 Downloader.Agent.acd
> Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
> F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
> Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
> Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
> McAfee 4662 12.29.2005 Exploit-WMF
> Microsoft ?? 12.29.2005 no virus found
> NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
> Norman 5.70.10 12.29.2005 no virus found
> Panda 9.0.0.4 12.28.2005 Exploit/Metafile
> Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
> Symantec 8.0 12.29.2005 Download.Trojan
> TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
> Trend Micro 135 12.29.2005 TROJ_NASCENE.D
> UNA 1.83 12.29.2005 no virus found
> VBA32 3.10.5 12.28.2005 no virus found
>
> --
> Mike Pawlak
>
>

Thanks for the info!

--
Mike Pawlak



Richard Urban wrote:
> Have you seen this from eWeek? Ewido doesn't rank very highly here.
> In fact, it is dismal! This is from a few days ago, when the tests
> were being performed.
>
>
> AV-Test, which tests anti-malware products, has been tracking the
> situation closely and has, so far, analyzed 73 variants of malicious
> WMF files. Products from the following companies have identified all
> 73:
>
> a.. Alwil Software (Avast)
> b.. Softwin (BitDefender)
> c.. ClamAV
> d.. F-Secure Inc.
> e.. Fortinet Inc.
> f.. McAfee Inc.
> g.. ESET (Nod32)
> h.. Panda Software
> i.. Sophos Plc
> j.. Symantec Corp.
> k.. Trend Micro Inc.
> l.. VirusBuster
>
> These products detected fewer variants:
> a.. 62 - eTrust-VET
> b.. 62 - QuickHeal
> c.. 61 - AntiVir
> d.. 61 - Dr Web
> e.. 61 - Kaspersky
> f.. 60 - AVG
> g.. 19 - Command
> h.. 19 - F-Prot
> i.. 11 - Ewido
> j.. 7 - eSafe
> k.. 7 - eTrust-INO
> l.. 6 - Ikarus
> m.. 6 - VBA32
> n.. 0 - Norman
>
>
> The difference for the more effective products is likely to be
> heuristic detection, tracking the threat by identifying the basic
> techniques of the exploit, rather than looking for specific patterns
> for specific exploits.
>
>
>
> "MAP" <mikepawlak2REM@OVEhotmail.com> wrote in message
> news:%23SJS1jtDGHA.2320@TK2MSFTNGP12.phx.gbl...
>> Jack wrote:
>>> XPHome SP2, fully patched. Opened a picture link, it flashed up my
>>> download manager trying to download the file eid6.wmf, which shut
>>> before I could close it and flashed open the picture and fax viewer
>>> which I closed and disconnected from the internet. The following new
>>> process was running:
>>>
>>> "rundll32.exe" C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscre en
>>> C:\Documents and Settings\%username%\Local Settings\Temporary
>>> Internet Files\Content.IE5\WTABCDEZ\eid6[1].wmf
>>>
>>> Closed it and cleaned the IE cache and rebooted and it didn't
>>> restart. Following files were created around this time and may or
>>> may not be related:
>>>
>>> C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
>>>
>>> C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf
>>>
>>> C:\WINDOWS\Prefetch\RUNDLL32.EXE-6061F310.pf
>>>
>>> C:\WINDOWS\system32\CatRoot2\tmp.edb
>>>
>>> I removed the prefetch files, the catroot2 file was in use and could
>>> not be moved and disappeared over a reboot. Then used SR to restore
>>> to a point prior. Doesn't seem as if there is any obvious residual,
>>> but does anyone know anything esle I should do or look for. I had
>>> not unregistered shimgvw.dll or applied Ilfak Guilfanov's temp
>>> patch:
>>>
>>> http://www.grc.com/sn/notes-020.htm
>>>
>>> Thanks.
>>
>> What Anti-virus program do you use? Most can already detect this
>> exploit. Here is some reading on this.
>> http://www.updatexp.com/wmf-exploit.html
>> If you read the link above it mentions that this exploit can
>> download and install trojans and/or malware I suggest that you try
>> Ewido for 14 days free
>> it will also detect the wmf vulnerability if your system is still
>> infected.
>> http://www.ewido.net/en/
>>
>> The following is copied and pasted from the MS virus newsgroups
>> courtesy of
>> David Lipman.
>>
>>
>>
>> AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
>> Avast 4.6.695.0 12.29.2005 Win32:Exdown
>> AVG 718 12.29.2005 Downloader.Agent.13.AI
>> Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
>> BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
>> CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
>> ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
>> DrWeb 4.33 12.29.2005 Exploit.MS05-053
>> eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
>> eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
>> Ewido 3.5 12.29.2005 Downloader.Agent.acd
>> Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
>> F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
>> Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
>> Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
>> McAfee 4662 12.29.2005 Exploit-WMF
>> Microsoft ?? 12.29.2005 no virus found
>> NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
>> Norman 5.70.10 12.29.2005 no virus found
>> Panda 9.0.0.4 12.28.2005 Exploit/Metafile
>> Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
>> Symantec 8.0 12.29.2005 Download.Trojan
>> TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
>> Trend Micro 135 12.29.2005 TROJ_NASCENE.D
>> UNA 1.83 12.29.2005 no virus found
>> VBA32 3.10.5 12.28.2005 no virus found
>>
>> --
>> Mike Pawlak

David H. Lipman wrote:

> From: "Jack" <null@null.com>
> It has been determined that a variant of the Exploit-WMF is causing
> the installation of a variant of the Backdoor.Haxdoor Trojan which
> uses RootKit technology.

Hi David, If you are familar with "process guard" I would like your opinion
on it.
http://www.diamondcs.com.au/processguard/

Thanks!

--
Mike Pawlak

From: "MAP" <mikepawlak2REM@OVEhotmail.com>


|
| Hi David, If you are familar with "process guard" I would like your opinion
| on it.
| http://www.diamondcs.com.au/processguard/
|
| Thanks!
|

Sorry, I am not acquainted with this application :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm