A serious zero-day exploit of a vulnerability in Microsoft Windows Graphics Rendering Engine allows remote code execution.
The exploit uses specially crafted Windows Metafiles (WMF) to execute malicious code, usually a trojan downloader, to download and install malicious software onto the users computer. At present, these WMF's are being hosted on a number of malicious websites.
This vulnerability affects ALL versions of Windows
Users may be infected purely by visiting a malicious website hosting an exploit WMF. Upon visiting such a site, a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability to download and execute another file (a trojan downloader). The trojan downloader then starts downloding and installing various malware to the user's machine. The WMF is commonly detected by most AV's:
Note: At the time of posting, AVG still does not detect this exploitCode:Jotti's online virus scanner: File: xpl.wmf Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 ee656ce9601850f559dfb371f624508e Packers detected: - Scanner results AntiVir Found Exploit/IMG.WMF exploit ArcaVir Found Trojan.Downloader.Agent.Acd Avast Found Win32:Exdown AVG Antivirus Found nothing BitDefender Found Exploit.Win32.WMF-PFV.C ClamAV Found Exploit.WMF.A Dr.Web Found Exploit.MS05-053 F-Prot Antivirus Found security risk or a "backdoor" program Fortinet Found W32/WMF-exploit Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd NOD32 Found Win32/TrojanDownloader.Wmfex Norman Virus Control Found nothing UNA Found nothing VBA32 Found Trojan-Downloader.Win32.Agent.acd
The following malwares are currently reported as being distributed:
Many of these install hoax AV programs such as AVGold, SpySheriff and WinHound that utilize desktop hijacking and inform you that your computer is infected and invite you to pay $30 for the full version of these hoax applications to clean your machine. Your AV should be detecting these - if it's not, get one that does!
There are currently 58 known variants of this exploit, with many distributing malware described above. However, recently there are reports of rootkits also being used to hide malware installations, and it's only a matter of time before someone starts using this exploit to distribute something far more malicious.
The Partial Solution
Update: There is now an unofficial patch that has been released. It may be downloaded from our good friends at SANS:
At present, there is no patch for this vulnerability from Microsoft.
Part of the reason that makes this vulnerability so critical is the fact users can be automatically infected without doing anything. The exploit takes advantage of Windows Picture and Fax Viewer (shimgvw.dll) that automatically displays WMF's. Affected software includes, but is not limited to, Internet Explorer, Windows Explorer, MS Paint, Lotus Notes, Google Desktop.
A partial solution is to unregister the Windows Picture and Fax Viewer library, shimgvw.dll. Note, however, that this will disable Windows Picture and Fax Viewer and applications that use it to provide previews or thumbnail views.
Windows Picture and Fax Viewer may be unregistered (disabled) by doing:
and may be re-registered by doing:Code:Start > Run > regsvr32 -u %windir%\system32\shimgvw.dll
In addition to unregistering shimgvw.dll, users are advised to temporarily rename that dll (eg, shimgvw.unreg.dl_) to prevent applications that invoke it directly from re-registering it. When a patch is released from Microsoft, users should restore and re-register the dll before installing the patch.Code:Start > Run > regsvr32 %windir%\system32\shimgvw.dll
Users are advised that Windows identifies WMF's by code in the file header, so ALL image file formats have the potential to be exploited as simply renaming an exploited .wmf to .jpg, .bmp, .png etc would still result in exploitation of the vulnerability. Further, users should note that simply entering a directory containing a copy of an infected WMF in Explorer or even from the command line is enough to trigger the exploit. In much the same way, services that use indexing, such as Google Desktop, may trigger an infected WMF stored on the local hard disk.
Users may further protect themselves until a patch is released by taking the following steps:
- Don't use Internet Explorer, use the latest version of Firefox which is unaffected
- Don't download or open any image files from untrusted sources
- Update your AV. If you don't have one, download and install the free 30-day trial of either Kaspersky or NOD32
- Make sure Windows Firewall is turned on - if you do get infected it should block outgoing connection attempts made by the trojan downloader
- Don't click ignore if your AV or firewall pops up warnings - read them carefully and understand your response. "My firewall popped up a warning, but I clicked allow because I always do" will get you nailed every time
- Don't surf dodgy websites that may be hosting the exploit
- Don't use Google Desktop - uninstall it right now!
If anyone gets infected, post in the Spyware, Trojans and Viruses Forum and we can help you clean your machine.