Vectors & Interfaces
The networking specialist
 About Vectors & Interfaces Network support services Useful resources PC News Contact The support specialist Support Guide

Virus targeting newly discovered Microsoft vulnerability on IE

There are new viruses circulating around that is with attached .WMF file. Although WMF files are media files but due to an inherent fault in Windows' code that causes executing of code within Windows from a media file.

This exploit does not require any user intevention to open an attachment, a file embedded within a HTML email read by Outlook Express without enabling the option of reading all emails in plain text and incorrect setting of security zone to Internet zone will also cause this exploit to work.

In IE, an embedded WMF within the web page would be executed immediately. In Firefox and Opera browser, a prompt would appear asking you whether to open the file or not.

With the integration of Windows explorer and IE in many of it functionalities, this exploit can potentially spread even on network shares or just viewing of such files in thumbnail or icon mode even if these files are renamed to BMP, TIFF or other graphic extensions.

And as usual, antivirus programs does very little to protect unpatched system from this exploit and as per the current trend of such exploits, it leads to opening a backdoor to your system which will allows the author to install spywares on your machines.

To work around this bug, you will need to run regedit on your version of Windows until Microsoft release a patch for it. (Mid Jan 2006). Windows 98/ME machines are no longer supported by Microsoft, so their only option is this workaround.

Go to command prompt. (Start, Run and type CMD). Highlight, right click and copy the following;



regsvr32 -u %windir%\system32\shimgvw.dll

Go to the command prompt window, right click and paste then press enter.

What impact will it have on your system? Unregistering shimgvw.dll will cause Windows Picture and Fax Viewer program no to be associated with files of WMF extension.

If you are running Windows XP, it is also advisable to enable DEP (Data Execution Protection).

1. Click Start, Control Panel, double click System. 2. Click Advanced tab, click Performance. 3. In Performance option, click Data Execution Prevention tab and turn it on.

You can also download Firefox to secure your system in case you visit compromised or dubious sites that may have some variant of the above exploit.

Protect your system with the latest version of Panda Antivirus Software or Computer Associates' EZ Antivirus .