Sunbeltblog comments
The posted link to IE-SPYAD is broken.
Thanks for the information.
I forgot to tell Alex that Eric has all the sites that may be involved in this as I update him weekly. 
webhelper
The link for IE-SPYAD should be: https://netfiles.uiuc.edu/ehowes/...ww/
resource.htm
Another Workaround: Using Proxomitron, a web filter.
The web filter will catch most .WMF images, but then there are those that are loaded through heavily encrypted JS files. This is where the Header filter comes in. It kills any connection to a URL with a .WMF extension.
[Patterns]
Name = "Kill .WMF [Kye-U]"
Active = TRUE
Bounds = ""
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:nnu)"
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.wmf(*)
1$TST(1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUNDnnAllow connection to the URL below?nnun1)|$SET(1=URL with .WMF Extension Killedk))"
Replace = "1"
It seems to have been mangled.
Go here for the working versions:
http://kyeu.info/proxo/forums/vi...php?
p=6562#6562
Wow. This must be a big one, seeing I've never seen this much correspondence in such a short period on this blog before.
Funny thing. WMF was auto-associated with the GIMP on my PC. Changed it to notecard because I never use the file format, but... heh.
First time the GIMP has (potentially) saved my PC. Not that I plan to test that theory.
The links for IE-SPYAD that I posted here work (for me anyway).
http://www.haloscan.com/comments...6469820/
#159000
IE-SPYAD was just updated on the 27th.
http://www.spywarewarrior.com/vi...pic.php?
t=18755
I hopefully have fixed the links. Been moving very fast, folks, my apologies.
Regarding these workarounds, none of them are perfect as you can still have a WMF file spoofed.
Also, from SANS:
http://isc.sans.org/diary.php?rss
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
I think I have personally survived this attack. It is truly nasty. Check out my post at slashdot for the gory details:
http://it.slashdot.org/comments....99&
cid=14355964
Hi All:
The correct link for IE-SPYAD is here:
https://netfiles.uiuc.edu/ehowes/...ww/
resource.htm
Thee is an interim update for IE-SPYAD available now:
http://www.dslreports.com/forum/
...remark,15121689
That update is designed to be installed on top of an existing install of IE-SPYAD.
Best,
Eric L. Howes
Hello,
Extension do not matters (even .tiff or .gif files could be set as wmf-exploit), so beware.
And it works under any program which will use WMF by DLL (IE,Opera,FF,Mozilla), so only workaround with disabling WMF DLL works.
Best regards,
Luke
Seems that SHIMGVW.DLL is used for ALL thumbnail processing in Windows; the REGSVR unregister method effectively prevents Windows Picture and Fax Viewer from working AT ALL, and completely disables image previewing in any file or folder, offline or online. Tis a small sacrifice to avoid nightmares, but do take note you'll be opening up Paint more while M$ drags their feet.
Luke is right...
Alex, the PreEmpt product from PivX blocks this exploit (http://www.pivx.com/HomeOffice/). I am not assosciated with PivX, just a happy user.
Later,
EricB
[Patterns]
Name = "Kill Infected .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 15
Match = "[%01][%00][%09][%00][%00]"
Replace = "k$ALERT(Infected .WMF File Killed on:nnu)"
This filter will kill any file that matches the magic bytes for infected files.
I see it as a strong workaround or prevention.
Alex, can you please add this to the list? Thanks!
Forgot Blog mangles the code. Please visit the following link to import this into Proxomitron.
http://kyeu.info/proxo/forums/vi...topic.php?
t=699
Just a thought; but since (at present) this exploit has to do with (what Microsoft considers) graphics files, has anyone tried simply disabling image-loading in IE and seeing if infections still happen?
Howdy, all,
Thanks for all the great help you provide.
I have published an illustrated step-by-step guide to unregistering the SHIMGVW.DLL and also the handling of WMF files. I also published an illustrated step-by-step of how to install the Kerio Firewall and how to update the bad-traffic.rlk file.
I believe that we need to remember that many of the people surfing are unable to follow the technical jargon that we all use, and to protect their computers they need to have their hands held.
The guide is at www.HelpProtectMyComputer.com.
I have a question about a comment in one of the forums that suggested that the SHIMGVW.DLL file should be renamed or deleted to prevent graphics programs from automatically re-registering the file.
I tried to rename the file in all its locations, but it kept on re-installing.
I then tried to delete it and was successful, but got the warning that Windows might become unstable, so I restored it.
Any thoughts?
Thanks
Steve
The link in the previous comment leads to the right page, but the anchor text was truncated.
It should be www.HelpProtectMyComputer.com/WMFflaw.html.
Sorry about that.
Steve
Commenting by HaloScan
