New Windows exploit found - can infect your computer just by viewing an image

[MrBond]

Link here:

http://www.securityfocus.com/brief/89

Basicly it uses files with the Windows Metafile format to infect a computer. All you have to do is view a webpage with the image on it or access an infected image on your computer. For IE users, it will infect them automatically, since IE displays the images nativly. Firefox will not display the image but will cache it, so if you mouseover/click/open the image from the cache, you will be infected.

There are reports of it downloading spyware, trojans, etc. There is no fix available from MS at this time.

Virus scanners should be updating themselves to detect this threat. NOD32 trial version already can, so if you don't have a virus scanner, get it here:

http://www.eset.com/download/trial.htm

Other things you can do are to avoid shady websites that might exploit this (although there are reports of it showing up on ebay auctions and myspace pages). Run an alternative browser, such as Firefox or Opera. Turn off programs such as Google's Desktop search, that index files on your computer. An infected WMF file just being index by such programs is enough to infect your PC. Avoid image searching. Update windows regularly. This one is bad enough that MS should patch it pretty quick - but you never know.

I apologize if this is a repost, I searched for a bit before posting this here. I know this should be in software, but OT gets WAY more traffic and people need to know about this.

Edit: Link with more info:

http://forums.anandtech.com/messageview.aspx?catid=38&threadid=1770474

 

[Safeway]

Wow :Q

Edit: I'm glad Anandtech doesn't offer direct image viewing on posts :laugh:

 

[imported_Phil]

Good to know.

Hey Amused, here's the first virus that can infect you without your consent!

 

[dug777]

Originally posted by: Phil
Good to know.

Hey Amused, here's the first virus that can infect you without your consent!

maybe it can tell you're high?

 

[kyzen]

Wait - where are the Linux zealots?! It's been almost 10 minutes since this was posted... something's wrong!

 

[Nick5324]

Originally posted by: Safeway
Wow :Q

Edit: I'm glad Anandtech doesn't offer direct image viewing on posts :laugh:

Agree

 

[SLCentral]

My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

 

[Aquila76]

I'm surprised Nik hasn't said "Wrong Forum" yet. :evil:

j/k This should be in EVERY forum to spread the message. Kinda like a Tornado Warning System.

 

[trinketsummoner]

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

 

[ironcrotch]

Im actually surprised this kind of exploit wasnt found sooner.

 

[SLCentral]

Originally posted by: trinketsummoner

Originally posted by: SLCentral
My brother got this yesterday, I think. Totally f-ed up his PC, and he had to format. Even a clean with SpyBot, Adaware, and Norton wouldn't fix it :\. Of course, this was before I heard stories about this attack, so I told him to go ahead and format before I learned about the NOD32 fix.

So what pr0n site did he visit?

. He claims he was just sitting at his desk not even using his computer when all sorts of popups came up.

 

[MrBond]

Originally posted by: Aquila76
I'm surprised Nik hasn't said "Wrong Forum" yet. :evil:

j/k This should be in EVERY forum to spread the message. Kinda like a Tornado Warning System.

I PM'ed the mods about this thread and asked them to sticky it if you wasn't a repost. Hopefully they'll sticky threads about it in the other forums too.

Edit: Doesn't have to be a porn site. Any site that allows direct-linking of images can have it. Forums where signatures with images allowed are a risk. Over at the SomethingAwful forums, someone had a 1x1 pixel image in his signature with the virus (he was found out and permabanned).

People were even saying that auctions for xbox 360's on eBay had infected images in them.

 

[montag451]

Like this:

http://news.bbc.co.uk/1/hi/technology/3701640.stm
on bbc newsite in September 04

Or this
http://news.yahoo.com/s/nf/20051222/tc_nf/40431
Yahoo news about symantec av flaw......

Or this
http://securityresponse.symantec.com/av...r/venc/data/bloodhound.exploit.14.html
symantec av information about the bloodhound exploit

 

[MrBond]

Originally posted by: montag451
Like this:

http://news.bbc.co.uk/1/hi/technology/3701640.stm
on bbc newsite in September 04

Or this
http://news.yahoo.com/s/nf/20051222/tc_nf/40431
Yahoo news about symantec av flaw......

Or this
http://securityresponse.symantec.com/av...r/venc/data/bloodhound.exploit.14.html
symantec av information about the bloodhound exploit

Those are all older exploits. This one is new - just discovered yesterday.

 

[Phoenix86]

Originally posted by: Phil
Hey Amused, here's the first virus that can infect you without your consent!

What about worms?

 

[Xyclone]

Kaspersky owns.

 

[MrBond]

Bump cause this is important

 

[hdeck]

symantec updated yesterday so i will just assume i'm safe.

 

[Chadder007]

Mcafee caught something on my yesterday called Accoona?

 

[apinomus]

Yeah our IT people said there was a registry fix for this. I'll poll them on what it is...

 

[MrBond]

Originally posted by: Chadder007
Mcafee caught something on my yesterday called Accoona?

No offical name yet since it's just an exploit. MS is calling it the "Windows Metafile Vulnerbility".

F-Secure has their lab blog updated with some info here:

http://www.f-secure.com/weblog/

Including a way to unregister Windows Picture and Fax Viewer - which they say is a good idea until the patch comes down.

 

[ViRGE]

Originally posted by: apinomus
Yeah our IT people said there was a registry fix for this. I'll poll them on what it is...

It's probably disabling the vulnerable DLL. I did that and was glad I did, I had a WMF come up later that night.

 

[apinomus]

From the f-secure weblog:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with ?regsvr32 %windir%\system32\shimgvw.dll? (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

This worked pretty quick for me and sounds like a good fix, since I don't use that annoying app anyway. IrfanView FTW

 

This is the same type of exploit that has been used for over a year now.

 

[apinomus]

Originally posted by: SampSon
This is the same type of exploit that has been used for over a year now.

It's probably something different, otherwise large AV companies wouldn't be making such a fuss over it.