Network News

X My Profile
View More Activity

Exploit Released for Unpatched Windows Flaw

Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied.

Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf).


Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via Internet relay chat (IRC) channels.

The exploit code, first posted on security mailing list Bugtraq, states that the included Internet address can successfully exploit a fully patched Windows XP system with a freshly updated [Symantec] Norton Anti-Virus. Symantec said it has verified that the exploit works on fully-patched Windows XP systems, and that updates that would allow its anti-virus program to detect threats trying to exploit the new flaw would be released as soon as possible, though it noted that "some of the components of this attack, including the exploit itself, are NOT detected by Symantec products."

According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program onto fully patched Windows XP SP2 machines (other Windows versions may also be affected.) The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.

Security Fix has not be able to reach Microsoft about this reported problem, though I can only imagine the consternation this is causing in Redmond right now, and I'd guess that Microsoft will be working on a patch to fix the problem as soon as possible. Security Fix will update this post as soon as more information is available. In the meantime, the same advice we've given still stands: be extremely cautious about clicking on links that arrive in e-mail or instant message: in this case, it could mean very nasty results for your PC.

Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first. The Sunbelt Blog also has some good information on this exploit, including some nice screenshots of what it looks like when your machine gets hit with this.

What's more, the exploit itself has just been rolled into Metasploit, an open-source vulernability assessment tool that the bad guys also can use to help automate attacks.

A Microsoft spokesperson said the company is investigating, though no official word from them yet. A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

Update, 2:31 p.m. ET:According to information posted at Internet security company Websense, the exploit is now being used by thousands of Web sites to install a bogus anti-spyware application that is fairly tedious to remove from infected machines. Also, Websense says the program "prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages." The above image is from Websense's alert.

It's also worth noting that the SANS Internet Storm Center has increased their threat level to "yellow" over this exploit, noting that a lot of people are on holidays and might overlook this problem.

By Brian Krebs  |  December 28, 2005; 2:47 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Give the Gift of Security
Next: Update on the Critical Unpatched Windows Flaw


Does this cause a problem for XP's sibling, 2000? Should all us admin's be running this script?

Posted by: Asa Taylor | December 28, 2005 2:11 PM | Report abuse

Asa - the answer to your question is a big "yes." it appears this problem may be bigger than first expected, and that W2k systems are at risk from this as well.

Posted by: Bk | December 28, 2005 2:15 PM | Report abuse

My computer was hit by this and we had to reimage to get rid of it.

Posted by: jg | December 28, 2005 3:17 PM | Report abuse

And the advantage to the consumer of a proprietary image format (WMF) is what again?

I knew it would not take too long for Microsoft to demonstrate where SONY got the 'tude.

For the last time guys: to endanger the many to protect your interests from the rotten few is reprehensible.

Posted by: GTexas | December 28, 2005 3:44 PM | Report abuse

I got it too I had to find my hidden internet files and delete them .Norton detected them ,Not sure if anything else was put on my system.

Does anyone ever ask is linux affected?

Posted by: Anonymous | December 28, 2005 8:30 PM | Report abuse

wmf is a VERY old format though.. it's mostly not used anymore IIRC

Posted by: techfury90 | December 28, 2005 9:22 PM | Report abuse

Using regsvr32 /u shimgvw.dll doesn't just just disable thumbnails it also disables the picture viewer. Why not just delete the association for .WMF files instead.

Posted by: anonymous | December 28, 2005 9:35 PM | Report abuse

This isn't exactly new, apparently . . . this write-up says 11/08/05... or are we seeing something else? Also, Win 2K is listed in the write-up.

Posted by: Loregon | December 28, 2005 10:00 PM | Report abuse

I was affected too. It took me a couple hours to clean this one. Clicking on the malicious link caused many files to be created on computer all over the place. There was file called msupdate32.exe (i think) which I couldn't delete, not even in safe mode, until I deleted the registry entry that caused it to be loaded. It wasn't even something you could remove with the msconfig utlity. Good job microsoft.

Posted by: John Doe | December 28, 2005 10:10 PM | Report abuse

I had this virus a few months ago. It simple appreaded on my Win 2000 machine. I use IRC on it 24/7. It had the same desktop wallpaper, and many icons relating to adult activities. AdAware cleared it up in Safe mode.

Posted by: Austin | December 28, 2005 10:26 PM | Report abuse

Windows will always be crummy

Posted by: Soiler | December 28, 2005 11:32 PM | Report abuse


Posted by: Scooby? | December 29, 2005 12:21 AM | Report abuse

No big deal.........

this habit of windows Operation System.

M. Abdul Mannan

Posted by: M. Abdul Mannan | December 29, 2005 12:26 AM | Report abuse

I hate Bill Gates.

Posted by: Charles | December 29, 2005 1:21 AM | Report abuse

I'd surmise that deleting the WMF association alone won't work because many Windows apps ignore extensions - MSIE, and other browsers too, for sure does ... it relies a lot on the content type header in determining how to display content.

Normally such behavior works out fine, since Windows will filter content types, such as x-type/application and pop-up warnings / block them.

What causes the problem in this instance is that WMF is not considered a potentially harmful content type, but unfortunately due to the buggy implentation/rendering it is, at least until MS issues a patch ... whenever they get around to it.

To digress a bit, I bought a close relative a Mac about a month ago ... works like a charm (they can still do everything they're used to - browse, email, etc) - far less security/configuration nonsense to deal with ... everytime I read about an unpatched Windows exploit I cringe and think to myself "why do am putting up with this crap" ... a Mac is looking better all the time ... I'm off to the Apple site again LOL!


Posted by: Deleting WMF association likely won't work... | December 29, 2005 2:39 AM | Report abuse

here's what I did today. So far no real ill effects. Loads slower, though. May be worthless. Get the Avant browser and use the tools dropdown to disable pictures if your overly precautious. You'll have a better looking browser as a bonus, faster as well.

Posted by: George | December 29, 2005 3:36 AM | Report abuse

Seems there's a lot of ignorance about what WMF is. It's not really an image format. A WMF file can capture GDI operations on either a screen or a printer device and replay them later. It isn't intended for use as a general graphics format although, at least in the past, it has been used for vector clipart (probably because there wasn't a better format at the time).

Posted by: Leo Davidson | December 29, 2005 3:39 AM | Report abuse

Is this not the same vulnerability described at ?

Posted by: Andy | December 29, 2005 7:31 AM | Report abuse

Question: does anyone know if any anti-spyware software that protects in real time, like Spy Sweeper 4.5, prevents any of this from installing?

Posted by: Anon | December 29, 2005 9:20 AM | Report abuse

Just attempted to install the netcraft toolbar mentioned. It appears that current netcraft toolbar is not compatible with the new(er)(est) version of FireFox newer than version 1.5

Posted by: Thomas | December 29, 2005 9:28 AM | Report abuse

Is it safe to assume that running under a limited access user account would prevent this infection? Or at least make it harder to get infected?

Posted by: SLS | December 29, 2005 9:30 AM | Report abuse

How can you repair an a machine that was affected? Adaware and Grisoft found the virus but could not delete all the files and would become infected again at restart. Was reading a sports article when I became infected....

Posted by: JB | December 29, 2005 9:42 AM | Report abuse

You can avoid the risk altogether with this approach:

Posted by: Lorin | December 29, 2005 9:50 AM | Report abuse

This flaw exists in all versions of windows back to 98. According to symantec, .gif and .jpg can also be used to deliver the exploit.

This could potentially be REALLY bad.

Posted by: Mike | December 29, 2005 10:41 AM | Report abuse

I've seen this twice in the last week. Once on my gaming machine at home, and now on a client's laptop. I tried everything I could to get rid of it on my own machine (update norton, scan in safe mode & regular windows boot. Scan with TrendMicro PC Housecall in safe & normal boot. Adaware SE, MS Anti Spyware Beta, Spybot, Spysweeper). Disabled the WMF parsing engine through the script, removed registry entries related to the spyware/virus. I ended up just reloading from a GHOST image. This is not an option on my client's laptop, unfortunately...and I am foaming at the mouth trying to find a solution, or for M$ to release a fix. Long live the M$ dynasty of screwing paying customers over.

Posted by: infection | December 29, 2005 11:26 AM | Report abuse

Couple things to fix this bug. First off install AVG(not sure other Anti virus will work) Spybot and adaware. Update fuly then boot to safe mode. in safe mode run both. These two did manage to get rid of MOST this migraine. Also run hijack. Make sure the netsh file is not pulling as well. Also make sure you disable the following the run box "regsvr32 /u shimgvw.dll". Clean out your temp files on all your logins, clean out all temporary internet files and folders manually .

delete secure.html from your root.

reboot to normal mode and wash and repeat in all logon idents.

NOTE: You will have to go in and manually delete the virus from your windows directories in safe mode!!!!!

Posted by: Kaharthemad | December 29, 2005 11:41 AM | Report abuse

Hello, I have XP SP2 fully patched with Symantec Anti virus. I tried to desable rendering as mentioned on this page but it says "shimgvw.dll" not found. Any help??

Posted by: Azhar | December 29, 2005 1:33 PM | Report abuse

2000 doesnt have ms picture and fax viewer

Posted by: internet | December 29, 2005 1:53 PM | Report abuse

For those of you that are infected, the best option is to use System Restore. If System Restore is not available, here are some guidelines on how to clean it manually. Depending on the site you visited the infection may be slightly different. First run Sbybot to get rid of all the files that it was able to detect. Next delete all files in your C:\, C:\Windows, and C:\Windows\System32 folders that were created on the date of the infection or after. A few of these files you may not be able to delete until you clear them from your startup using msconfig then restarting the system. There was also one file I couldn't delete or unregister until I removed some entry from my registry and rebooted the system. Run Sbybot again as a last step. Good Luck.

Posted by: John Doe | December 29, 2005 2:20 PM | Report abuse

Linux,BSD, Unix, MAC won't be affected because buffer overflows are detected and trapped by the kernelvm, data space is usually not allowed to execute, and very probably the separation of user space from root/system and other user space enforced by passwords prevents an exploit from getting very far.

And files without executeable magic numbers are allowed to execute.

Posted by: CWR | December 29, 2005 2:22 PM | Report abuse

One thing I forgot to mention. Make sure you are diisconnnected from the internet while you are cleaning the files. After you remove all the files and while you are disconnected start internet explorer. There should be an option under tools to restore your internet settings and homepage. Select this option. Also check your firewall setting to make sure the infection didn't make any changes.

I'm convinced these spyware infections are the work of linux zealots.

Posted by: Anonymous | December 29, 2005 2:30 PM | Report abuse

Microsoft has issued a patch for this. For some reason, it doesnt come up when you run windows update. You have to manually browse to the security bulletin:

It mentions Windows XP and Windows XP SP1, but what about Win XP SP2?

Posted by: anon | December 29, 2005 8:29 PM | Report abuse

sorry, wrong patch. disregard.

Posted by: anon | December 29, 2005 8:38 PM | Report abuse

Some of the incarnations of this are very virulent. Some rudimentary analysis can be found on


Posted by: Valsmith | December 29, 2005 9:46 PM | Report abuse

Man I am getting sick of this crap, I am seriously considering switching to a Mac.

Posted by: John T. | December 30, 2005 6:42 AM | Report abuse

Why do those so-called "security researchers" publish info online about how to exploit major Windows security flaws? Aren't they at least as guilty as the hackers who exploit them? Who do the researchers work for, anyway, Apple?

Posted by: Scott | December 30, 2005 8:50 AM | Report abuse

the regsvr32 fix above does not seem to work on NT boxen. Is NT affected?

Posted by: JM | December 30, 2005 10:06 AM | Report abuse

>Using regsvr32 /u shimgvw.dll doesn't just just disable thumbnails it also disables the picture viewer. Why not just delete the association for .WMF files instead

Good Idea and if you disabled and need to re-enable it just do:
regsvr32 /u shimgvw.dll

Posted by: Sherm | December 30, 2005 10:52 AM | Report abuse


>Using regsvr32 /u shimgvw.dll doesn't just just disable thumbnails it also disables the picture viewer. Why not just delete the association for .WMF files instead

Good Idea and if you disabled and need to re-enable it just do: (CORRECT to fix)
regsvr32 shimgvw.dll

Posted by: Sherm | December 30, 2005 10:54 AM | Report abuse

The 'temporary' regsr... fix worked on my notebook with XP, but not on my desktop 98SE. I got a message that said: "Loadlibraryfailed("skivgvw.dll")failed.Get last error returns 0x00000485."

Any suggestions?

Posted by: Bill Bowdon | December 31, 2005 10:35 AM | Report abuse

How do we disable WMF? Thanks

Posted by: hazy | December 31, 2005 12:24 PM | Report abuse

What's a poor user to do? I run the Firefox browser in my Windows XP laptop, to avoid the vulnerabilities of MS-IE. Unfortunately, trying to visit the MS update web site will then return a message saying that in order to access the site, one must run IE5 or newer. Thanks fer nuthin', Microsoft.

Posted by: JimG | December 31, 2005 1:32 PM | Report abuse

got the bug and used spy doctor in safe mode in windows xp sp2 it caught it and fixed it

Posted by: gls | December 31, 2005 7:26 PM | Report abuse

JimG wrote:
>>What's a poor user to do? I run the Firefox browser in my Windows XP laptop, to avoid the vulnerabilities of MS-IE. Unfortunately, trying to visit the MS update web site will then return a message saying that in order to access the site, one must run IE5 or newer.

Give the following a try:
- Raise the Internet zone to High;

- Add Windows Update to the Trusted Sites zone list;

- Run IE only when you need to access Windows Update.
(optional) Run IE under DropMyRights.

Posted by: Mark Odell | January 1, 2006 1:28 PM | Report abuse

i can't get into safe mode. it keeps loading "mssearchnet.exe" and everytime i restart, it tries to install "spyaxe" i've tried diff virus programs they don't find anything and spybot, adaware etc to clean it out but it's still here whatever it is

Posted by: anon | January 2, 2006 3:45 AM | Report abuse

No windows update yet available for this, not until Jan 10 probably, so update is moot, but for FF users, there is an extension called Windows Update which will lauch the update page in IE for patches.

FF users using the extension adblock can block *.wmf and *.emf files but remember that won't protest you from email, infected word files, etc.

Posted by: Dave H | January 3, 2006 10:52 AM | Report abuse


DO NOT surf the internet when you are logged on to your PC with administrative privileges!

I intentionally released this Trojan on two test computers. On the computer logged on as an administrator the Trojan took complete control in less than a minute. It downloaded and installed rouge software called WinHound. It made numerous changes to the registry, services, and Internet Explorer. It would have taken hours to repair all these changes and even then one could not trust the computer again.

In contrast on the test computer logged on as a normal user the virus did almost no damage at all. It can't because it doesn't have the administrative privileges to modify system settings. The Trojan was easily killed by ending the process in Task Manager listed "26.exe" (the number will vary). And the job was finished by deleting a few user (not system) registry entries in key:


The computer was easily repaired in less than 5 minutes!

To guard yourself against this and other Trojans/Viruses you need to change your normal logon account to a normal user account. This is easily done from the Windows control panel "Users and Groups" applet. Just reference a Windows manual or ask a computer shop if you need more help making this simple change.

Microsoft recommends disabling the affected software until the patch is release on January 10. Here are the commands:

regsvr32 /u %windir%\system32\shimgvw.dll

regsvr32 %windir%\system32\shimgvw.dll

You must be logged on as an administrator for these commands to work correctly. When "shimgvw" is disabled it will change the way picture files are displayed in the file browser. This is normal. You can enable it again after installing the soon to be released patch from Microsoft.

Best wishes and happy computing!

US Navy

Posted by: Robert | January 3, 2006 4:03 PM | Report abuse

This doesn't look like a Q & A forum, but I'm fairly sure that I obtained the so-called ".wmf" file the other day as I was doing on-line research. My browser is Firefox. I clicked on a link and the website automatically downloaded the ".wmf" file and asked to run it - of course I immediately clicked no . . . then Norton picked up a file as a virus and quarantined it. No further problems, except ZoneAlarm identifies random "Common Client User" requests by "ccApp.exe" (norton) to modify system settings - again, I click deny since I do not know what "ccApp.exe" is trying to modify. Norton Anti-Virus, Spybot, Ad-Aware, Spybotblaster all come up clean. I deactivated "shimgvw.dll" but I think it is after the fact. The only problem I have is that I can't run "NMain.exe" from my taskbar b/c "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I am running logged in under administrative mode and have administrative privileges. Running Norton directly from the root works fine. Any suggestions?

Posted by: John Jay | January 5, 2006 10:57 AM | Report abuse

This Is

Posted by: Matt | January 6, 2006 11:29 AM | Report abuse

Why isn't the department of Justice shutting those malicious sites down. The internet's purpose is clearly not intended for that; however, Norton won't make a dime and Microsoft researchers will be out of a job. So why complain about this virus when everyone is intending on creating a 'new' version of Norton Antivirus for profit?

Posted by: smitheo1 | January 8, 2006 4:09 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company