A new exploit… Seriously Dangerous..

Zero-Day WMF Exploits affects Windows’ image rendering specifically WMF or Windows Metafiles). There is currently no fix for this but a temporary way around this exploit. even the fully patched windows xp sp2 arent immune to this threat so yeah. This is dangerous 😮

These sites have been classified as sites containing this exploit and are recommended to avoid at all cost.

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

its used to install spyware and fake antispyware / antivirus software on teh affected machines and real virues are soon to come.

Theres been reported over 57 different version of infected WMF files so far and they are detected as PFV-Exploits by F-Secure.

the current way around this exploit (applies to all the main versions of windows (Windows MX, Windows 2000m Windows XP and Windows 2003)

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll”
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

even with this work around… it reported by F-Secure that it doesnt protect you if you opened the infected files with MSPAINT. So for the time being its highly recommended you avoid using MSPAINT at all costs.. not that its a good program to use in the first place… :p but with this situation.. heres another reason why not to use MSPAINT and use something such as Photoshop, Paint Shop Pro, Corel Paint Shop etc etc.. just avoid using and opening files with MSPAINT… 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Unable to load the Are You a Human PlayThru™. Please contact the site owner to report the problem.